You make no mention of exploit mitigations like EMET or Windows Defender Exploit Guard. If your exploit requires that a "controlled address were jumped to", then even just mandatory ASLR (provided by both EMET and WDAG) would stop the exploit, no?
-
-
Replying to @wdormann
I was thinking the same thing :) Looking for a sample to test against Exploit Guard, but Mandatory ASLR should be effective here, No Child Process too.
1 reply 0 retweets 1 like -
No, ASLR only works if the binary was compiled with relocations. See the section ASLR->Weaknesses in my old report http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf …
3 replies 0 retweets 9 likes -
Replying to @0xdabbad00 @markwo
Is eqnedt32.exe really lacking a relocation table? And if so, what are you using to come to this conclusion?
1 reply 0 retweets 1 like -
Ah, it does have a .reloc section (from dumpbin). I didn't expect a .exe from 2000 to have that. My apologies. ASLR will work.
1 reply 0 retweets 1 like -
Replying to @0xdabbad00 @markwo
What's confusing to me is why despite having a relocation section, system-wide ASLR does *NOT* randomize the loaded address. It's loaded at 0x10000 every time for me, even if mandatory ASLR is enabled system-wide using either EMET or WDEG.
@epakskape2 replies 1 retweet 2 likes -
My windows knowledge is stale, but historically it would only be randomized across reboots. Without rebooting, it will always load at the same address. So technically that 0x10000 is randomized. Just it was only randomized once. The exe would load at 0x40000 without ASLR.
2 replies 0 retweets 0 likes -
Except it's loaded at 0x10000 for every reboot. And on every machine. So not really randomized. Just different than the default.
1 reply 0 retweets 0 likes -
If you try specifying that bottom-up ASLR should be always enabled for that EXE (rather than "on by default"), does the base address get randomized?
2 replies 0 retweets 0 likes
Will Dormann Retweeted Will Dormann
Yes, it does. See my prior tweet w/ screenshot:https://twitter.com/wdormann/status/930774937794744326 …
Will Dormann added,
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.