Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Can't Take a Punch

The Hacks Continue: Bypassing ASLR

Cracking that glass jaw.


Get It

Try It

The most recent versions of Windows use ASLR and thus make it more difficult to outline memory layout for an exploit. But there are ways around this as always.

Statically Based DLLs and Executables

ASLR can be an effective method to thwart memory corruption but it's only effective if each and every address in the process is fully randomised. Code and data that remain at static addresses become easy targets. The first thing a hacker might do is look for processes that are always mapped at their 'preferred' base in memory.

Only modules with the IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE flag set are randomised. Binaries in such case must be built with Visual Studio 2005 or later and must pass the /DynamicBase flag to the linker. Although Microsoft are generally good at using this flag the third party vendors have been slow to follow suit.

This type of attack is especially useful when attacking browsers as browsers often offer a plugin architecture. Malicious webpages can do any of the following.

  • Force metadata handling.
  • Instantiate ActiveX controls.
  • Forces the loading of libraries to parse embedded data.
  • Force the browser or its extensions to load shared libraries (DLLs).
  • Force the browser to load a library to handle a different Content-Type.
  • Force user authentication through a mechanism that uses its own library.
  • Specify URL schemes that force in-process loading of special protocol handlers.

Almost Static Objects

Objects that are almost at static addresses can still be relied on to be found in a specific region of memory. This can be exploitable if the objects can be made to grow to an arbitrarily large size. The regular space is exhausted and the heap is forced to grow larger. Provided allocations are more or less linear and virtual memory is limited it's possible to predict where data will be mapped.

Partial Overwrites

A partial overwrite corrupts only the least significant 1 or 2 bytes of a pointer. All randomisation in Windows is performed only on the high bytes; the low bytes will be the same no matter where the object is mapped.

This technique is particularly effective on little endian platforms since contiguous memory overwrites will corrupt the least significant bytes first. It can be enough to find a single byte overflow to make this work.

Memory Information Leaks

An information leak vulnerability allows the hacker to glean useful information about the target process. Best is if the hacker can obtain a pointer value.

  • A pointer can be used to determine where an object resides in memory.

  • Additional information can be inferred. A frame pointer tells hackers not only the location of the thread's stack but possibly the data elements surrounding the pointer as well as elements from previous frames. If the value points to a data section then hackers can know where the entire image resides in memory. Heap pointers are useful in determining the addresses of specific blocks of data.

And so forth. And information leaks have additional advantages in later versions of Windows. If hackers can learn the location of a shared library in memory then the address is also known for all running processes as well. Finding a shared library in one process is tantamount to knowing where it will be located in all processes on the system.

OK so those are potential security holes. But can they really be exploited?

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.