You make no mention of exploit mitigations like EMET or Windows Defender Exploit Guard. If your exploit requires that a "controlled address were jumped to", then even just mandatory ASLR (provided by both EMET and WDAG) would stop the exploit, no?
-
-
Replying to @wdormann
I was thinking the same thing :) Looking for a sample to test against Exploit Guard, but Mandatory ASLR should be effective here, No Child Process too.
1 reply 0 retweets 1 like -
No, ASLR only works if the binary was compiled with relocations. See the section ASLR->Weaknesses in my old report http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf …
3 replies 0 retweets 9 likes -
Replying to @0xdabbad00 @markwo
Is eqnedt32.exe really lacking a relocation table? And if so, what are you using to come to this conclusion?
1 reply 0 retweets 1 like -
Ah, it does have a .reloc section (from dumpbin). I didn't expect a .exe from 2000 to have that. My apologies. ASLR will work.
1 reply 0 retweets 1 like -
Replying to @0xdabbad00 @markwo
What's confusing to me is why despite having a relocation section, system-wide ASLR does *NOT* randomize the loaded address. It's loaded at 0x10000 every time for me, even if mandatory ASLR is enabled system-wide using either EMET or WDEG.
@epakskape2 replies 1 retweet 2 likes -
The entropy for force relocated images comes from bottom-up ASLR which is only enabled by default if the EXE was built with /dynamicbase. Try turning on bottom-up ASLR as well.
1 reply 0 retweets 2 likes -
Thanks. I'm pretty sure that Bottom-up ASLR is enabled along with Mandatory ASLR. But eqnedt32.exe is always loaded at the same location.pic.twitter.com/zFgmbByCEP
1 reply 0 retweets 0 likes -
I believe "on by default" means "use the default system policy" which means bottom-up ASLR will only be enabled if the EXE was linked with /dynamicbase (which this one does not, I believe). Sound right,
@markwo?3 replies 0 retweets 1 like -
Yeah, that's right. I was seeing what Will describes last night until I enabled bottom-up ASLR for this process in Exploit Guard
1 reply 0 retweets 0 likes
Is there any way to enable Bottom-up ASLR on a system-wide basis? If not, then it would seem that Mandatory ASLR only really adds protection for apps that opt in. Which seems sort of non-Mandatory to me...
-
-
It is possible to enable bottom-up ASLR system-wide, but I'm not sure if it can be done via the WDEG UI,
@markwo might know. Agree with your feedback here. I passed it on to the team.1 reply 0 retweets 2 likes -
Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot be enforce ASLR as well as Win7!pic.twitter.com/Jp10nqk1NQ
4 replies 60 retweets 100 likes - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.