Re: Preventing exploitation with rebasing

From: Dave Aitel (daveat_private)
Date: Mon Feb 03 2003 - 19:18:42 PST

Next message: Thilo Schulz: "Quake3 engine autodownload issues."

Previous message: Daniel Ahlberg: "GLSA: qt-dcgui"
Maybe in reply to: David Litchfield: "Preventing exploitation with rebasing"
Next in thread: Brian Hatch: "Re: Preventing exploitation with rebasing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If only there was some way to get the addresses that a remote RPC
program used for its variables, which would tell us what segments were
valid. Perhaps page 49 of "DCE/RPC over SMB" by Luke Kenneth Casson
Leighton (hi Luke!) will help us out. 

"Pointers. 

The best way to think of the NDS represntation of pointers is as tokens.
They "represent" pointerse. There must be a monotonic (one-to-one)
mappting between the pointer that the token represents and the token
itself. Windows NT is primarily implemented on a 32-bit platform, the
x86 architecture and the NDR pointer-tokens are also 32-bit. Microsoft
therefor puts memory addresses (sometimes actual pointers to kernel
memory [note: or process memory from the stack or various other
segments]) over-the-wire which does the trick and is simple to
implement, but not very secure. "

This is generally what I'm seeing with Windows 2000 SP3 here in my lab.
(I spent a while trying to track down what a particular field with the
Locator traffic was, but it turned out to be just a part of my stack.)
In practice, you would want to get the address of the data segment for
RPCRT4, I imagine, rather than the all-too-fickle stack. :>

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ 

(P.S. There are many vulnerable interfaces in the locator service, it
turns out. One of them is available by default.)

On Mon, 3 Feb 2003 13:49:31 -0800 (PST)
Michal Zalewski <lcamtufat_private> wrote:

> On Mon, 3 Feb 2003, David Litchfield wrote:
> 
> > Use addresses such as 0x**000000 or 0x00**0000 for the new image
> > base. With there being a NULL in much of the image's address space
> > this will help. (This of course won't make a difference with unicode
> > overflows)
> 
> Just FYI, both techniques are somewhat old in the *nix world. NUL in
> the address is, among others, implemented by the Openwall kernel patch
> on Linux, and PaX randomizes stack and executable base mapping
> addresses.
> 
> -- 
> ------------------------- bash$ :(){ :|:&};: --
>  Michal Zalewski * [http://lcamtuf.coredump.cx]
>     Did you know that clones never use mirrors?
> --------------------------- 2003-02-03 13:45 --
> 
>

Next message: Thilo Schulz: "Quake3 engine autodownload issues."
Previous message: Daniel Ahlberg: "GLSA: qt-dcgui"
Maybe in reply to: David Litchfield: "Preventing exploitation with rebasing"
Next in thread: Brian Hatch: "Re: Preventing exploitation with rebasing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 14:03:06 PST