3

Let's assume that a vulnerabled process is set up with an ASLR and DEP against all the imported modules used in this process and there is no way to find a module that is aslr free.. More over, the process is not used by JIT so JIT Spraying is out of scope as well as the heap is not used to cause a buffer overflow(it's a stack based buffer overflow).

How that scenerio could be defeated?

JDeff
  • 31
  • 2
  • See http://security.stackexchange.com/questions/20497/stack-overflows-defeating-canaries-aslr-dep-nx for s previous discussion on this. – NSSec Nov 01 '14 at 16:06
  • @MathieuK i've already seen that.. So in my case the only option left is brute-forceing? – JDeff Nov 01 '14 at 16:13

1 Answers1

3

The text segment which is also called the code segment, contains the application's static functionality is not randomized by ASLR. An exploit can jump anywhere into this region of memory reliably, which permits an attacker to build a chain of ROP gadgets. The most common goal of a ROP chain is to setup a stable environment to run shell code, but that is not the only use of ROP.

Additionally, pwn2own has come up with many other bypasses. I highly recommend reading the details papers that are published after every pwn2own. One of my favorite exploits uses a heap overflow to read ASLR'ed memory addresses.

rook
  • 46,916
  • 10
  • 92
  • 181
  • The text segment does not mostly contain code(even through it can be because this place is RWX), so how would you use ROP? you probably wont find gagdgets for your rop. @Rook – JDeff Nov 01 '14 at 18:01
  • @JDeff The text segment, which is also called the code segment contains all of the application's functionality that isn't included by DLLs. In most application there should be a wealth of ROP gadgets available. The trick if finding the ones you need. – rook Nov 01 '14 at 18:04
  • I confused with data section, got you! :) @Rook – JDeff Nov 01 '14 at 18:07
  • @JDeff totally fair, who the hell named this crap? – rook Nov 01 '14 at 18:08