lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 2 Oct 2010 13:10:08 -0000
From: geinblues@...il.com
To: bugtraq@...urityfocus.com
Subject: Another new technique to bypass SEHOP. ( no 'xor pop pop ret' )


Lately, MS Windows SEH overflow attack technique only uses the methods.

[mostly used method]
win xp sp2(SEH): 'pop pop ret' - David Litchfield 2003.
win xp sp3(SafeSEH): unloaded module's 'pop pop ret' - Litchfield 2003.
win server 2008/Vista sp1(SEHOP): SYSDREAM(c)'s 'xor pop pop ret'.

[my new method to exploit SEHOP]
I researched SEH and any reference I found a way to exploit SafeSEH+SEHOP protections all at once.
below is the presentation PDF. :-)

Presentation URL:
http://www.x90c.org/SEH%20all-at-once%20attack.pdf

--
 David Litchfield's 2003 presentation introduced similar method with my technique which using allowed _except_handler3. but it was applied SafeSEH only. and having a difference to my technique.
--

Thnak you lists.



Powered by blists - more mailing lists