5

As far as I know, it is possible to overwrite the unchanged part of the EIP to bypass ASLR protection. Unfortunately, I do not understand how this can help me in order to jump to the location of my exploit. I would need the address of a [JMP ESP] instruction in order to do so, but since the address will always vary, what's the idea behind partially overwriting the EIP?

Furthermore, this answer states that a non-ASLR module is required. How can some parts of the address be fixed and some change in a non-ASLR module?

Community
  • 1
Jack Jones
  • 51
  • 1
  • 2
  • Related to [Why are some DLLs not randomized? What makes it hard to deploy full ASLR for all DLLs](https://security.stackexchange.com/questions/42283/why-are-some-dlls-not-randomized-what-makes-it-hard-to-deploy-full-aslr-for-all) – Neil Smithline Mar 12 '16 at 18:43
  • Partial EIP overwrite means you have found that only a part of the bytes of EIP are randomized, i.e. can't be overwritten since they keep getting randomized. Thus cutting down the total brute force space to attack ASLR . I.E guess the place to jump to in memory. With a little google I found http://ly0n.me/2015/07/30/bypass-aslr-with-partial-eip-overwrite/ – dylan7 Mar 13 '16 at 01:39

1 Answers1

1

With ASLR not the full address of instructions will vary but only some higher bytes. So for example Byte 1+2 are static but Byte 3+4 not. So the idea behind partially overwriting the EIP is to overwrite only the static bytes of an address to get a (limited) control of the execution flow.

40F4
  • 932
  • 6
  • 16