lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 2 Oct 2010 13:10:08 -0000 From: geinblues@...il.com To: bugtraq@...urityfocus.com Subject: Another new technique to bypass SEHOP. ( no 'xor pop pop ret' ) Lately, MS Windows SEH overflow attack technique only uses the methods. [mostly used method] win xp sp2(SEH): 'pop pop ret' - David Litchfield 2003. win xp sp3(SafeSEH): unloaded module's 'pop pop ret' - Litchfield 2003. win server 2008/Vista sp1(SEHOP): SYSDREAM(c)'s 'xor pop pop ret'. [my new method to exploit SEHOP] I researched SEH and any reference I found a way to exploit SafeSEH+SEHOP protections all at once. below is the presentation PDF. :-) Presentation URL: http://www.x90c.org/SEH%20all-at-once%20attack.pdf -- David Litchfield's 2003 presentation introduced similar method with my technique which using allowed _except_handler3. but it was applied SafeSEH only. and having a difference to my technique. -- Thnak you lists.
Powered by blists - more mailing lists