38
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov [email protected]

Explotation Over

Tags:

Embed Size (px)

DESCRIPTION

Explotation, protections in windows.

Citation preview

Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov [email protected] About me Exploit development since 1999 Published research into reliable exploitation techniques: !Heap manipulation in JavaScript !Bypassing browser memory protections on Windows Vista (with Mark Dowd) Exploitation is getting harder !"#$"% '()"*+,-$)$.*/ +*)$,-)* *01)2$3,.2" !"#$ &'()*+,! 45564557 Overview of this talk The evolution of exploit mitigations !GS, SafeSEH, DEP, ASLR, SEHOP State of the art in exploitation !Windows XP through Windows 7 Windows 7 challenges and directions for future research The evolution of exploit mitigations Part I OS evolution Exploit mitigations Detect memory corruption: GS stack cookies SEH chain validation (SEHOP) Heap corruption detection Stop common exploitation patterns: GS variable reordering SafeSEH DEP ASLR GS stack cookies cookie-(8*+ !"#$% '($%)'* retaddr saved cookie Breaking GS cookie12$"3*+ ',+retaddr saved cookie pointer arg !"#$% '($%)'* -(8*+ shellcode GS variable reordering cookie-(8*+ !"#$% '($%)'* retaddr saved cookie non-buffer variables copes of arguments arguments (unused) 12$"3*+ ,+%(9*"3/ ,+* :21$*# -*;2+* 3


AND EXPLOITING XSS WITH OWASP XENOTIX XSS EXPLOIT FRAMEWORK V3 AJIN ABRAHAM nlu nullcon security conference -01 Pqezl nlu EXPLOTATION FRAMEWORK nullcon -01 Pqezl Goa http

AND EXPLOITING XSS WITH OWASP XENOTIX XSS EXPLOIT FRAMEWORK V3 AJIN ABRAHAM nlu nullcon security conference -01 Pqezl nlu EXPLOTATION FRAMEWORK nullcon -01 Pqezl Goa http

Documents
Francisco Amato - ekoparty security conference Amato - evilgrade.pdf · Introduccion Client side explotation Las politicas de seguridad generalmente de las compañias comienzan desde

Francisco Amato - ekoparty security conference Amato - evilgrade.pdf · Introduccion Client side explotation Las politicas de seguridad generalmente de las compañias comienzan desde

Documents
FINAL DISSEMINATION AND EXPLOTATION REPORT

FINAL DISSEMINATION AND EXPLOTATION REPORT

Documents
BASIC PAY EFFECTIVE JANUARY 1, 2016 - United … PAY—EFFECTIVE JANUARY 1, 2016 Pay Grade Over 20 Over 22 Over 24 Over 26 Over28 Over 30 Over 32 Over 34 Over 36 Over 38 Over 40 O-101

BASIC PAY EFFECTIVE JANUARY 1, 2016 - United … PAY—EFFECTIVE JANUARY 1, 2016 Pay Grade Over 20 Over 22 Over 24 Over 26 Over28 Over 30 Over 32 Over 34 Over 36 Over 38 Over 40 O-101

Documents
SOCIALNETS year 3 review 20 May 2011 Jon Crowcroft, Eiko Yoneki Deliverable 5.4 Workshop, wireless market report and Explotation Assessment Funded by the

SOCIALNETS year 3 review 20 May 2011 Jon Crowcroft, Eiko Yoneki Deliverable 5.4 Workshop, wireless market report and Explotation Assessment Funded by the

Documents
TECHNIFICATION OF OPEN PIT EXPLOTATION THROUGH … · rethink established alignments and comply with the monitoring and production indicators. An unsentweight mine cannot guarantee

TECHNIFICATION OF OPEN PIT EXPLOTATION THROUGH … · rethink established alignments and comply with the monitoring and production indicators. An unsentweight mine cannot guarantee

Documents
BASIC PAY EFFECTIVE JANUARY 1, 2016 · BASIC PAY—EFFECTIVE JANUARY 1, 2016 Pay Grade 2 or less Over 2 Over 3 Over 4 Over 6 Over 8 Over 10 Over 12 Over 14 Over 16 Over 18 O-101 O-91

BASIC PAY EFFECTIVE JANUARY 1, 2016 · BASIC PAY—EFFECTIVE JANUARY 1, 2016 Pay Grade 2 or less Over 2 Over 3 Over 4 Over 6 Over 8 Over 10 Over 12 Over 14 Over 16 Over 18 O-101 O-91

Documents
Client side explotation

Client side explotation

Technology
,0:$3URFHHGLQJV …€¦ · Over this layer of clay there is a plot of ... here j .'3 a water table in the explotation areas varying ... nce at t~'1e surface created hy the

,0:$3URFHHGLQJV …€¦ · Over this layer of clay there is a plot of ... here j .'3 a water table in the explotation areas varying ... nce at t~'1e surface created hy the

Documents
Mecanismo de Producción - Página Inicial55:00Z... · Vélez Hernández Manleydis Cecilia Project of Combined Explotation of the ... give answer to the demands of the Oil ... Combined

Mecanismo de Producción - Página Inicial55:00Z... · Vélez Hernández Manleydis Cecilia Project of Combined Explotation of the ... give answer to the demands of the Oil ... Combined

Documents
04 Organic Agriculture and Environment - FiBL -Home · Faculty of Agriculture and Environment ... › surface water: ... production based on explotation of non-renewable sources and

04 Organic Agriculture and Environment - FiBL -Home · Faculty of Agriculture and Environment ... › surface water: ... production based on explotation of non-renewable sources and

Documents
€¦ · Trader Joes J. Polep Dist. W akefern Number of Stores Over 2,200 Over 300 Over 30 Over 300 Over 100 Over 100 Over 25 Over 100 Over 1,700 Over 3,000 Over 200 Over 700 Over

€¦ · Trader Joes J. Polep Dist. W akefern Number of Stores Over 2,200 Over 300 Over 30 Over 300 Over 100 Over 100 Over 25 Over 100 Over 1,700 Over 3,000 Over 200 Over 700 Over

Documents
2 Explotation of Bacterial Activities in Mineral Industry

2 Explotation of Bacterial Activities in Mineral Industry

Documents
OVER DIMENSI & OVER LOADING

OVER DIMENSI & OVER LOADING

Documents
Client side explotation 2010 utpl

Client side explotation 2010 utpl

Education
Dissemination and explotation of results – strategy and tools · 1 Dissemination and exploitation of results – strategy and tools Galina Karamalakova, EACEA Unit A.3 Erasmus+

Dissemination and explotation of results – strategy and tools · 1 Dissemination and exploitation of results – strategy and tools Galina Karamalakova, EACEA Unit A.3 Erasmus+

Documents
Lawsuit Over the Movie, 'Shadow Over Over Innsmouth' Filed

Lawsuit Over the Movie, 'Shadow Over Over Innsmouth' Filed

Documents
METODOLOGIAS DE ANÁLISE E PROJETO DE …livros01.livrosgratis.com.br/cp037008.pdf · Although the recent trend for offshore oil explotation in deep waters is the use of ... designed

METODOLOGIAS DE ANÁLISE E PROJETO DE …livros01.livrosgratis.com.br/cp037008.pdf · Although the recent trend for offshore oil explotation in deep waters is the use of ... designed

Documents
The Imperfect Tense: Regular Verbs Over and over and over and over and over in the past

The Imperfect Tense: Regular Verbs Over and over and over and over and over in the past

Documents
MEXICO CITY METROPOLITAN AREA: THE LARGEST … · Surface water Groundwater Agriculture ... • Over-explotation of the aquifer ... Efficiency indicators for drinking water management

MEXICO CITY METROPOLITAN AREA: THE LARGEST … · Surface water Groundwater Agriculture ... • Over-explotation of the aquifer ... Efficiency indicators for drinking water management

Documents
Naoki Yoshihara - Reexamination of Marxian Explotation Theory

Naoki Yoshihara - Reexamination of Marxian Explotation Theory

Documents
The Violent Truth of Anti-Naxal Operations in South ... · PDF fileThe Violent Truth of Anti-Naxal Operations in South Chhattisgarh ... almost always some looting and explotation

The Violent Truth of Anti-Naxal Operations in South ... · PDF fileThe Violent Truth of Anti-Naxal Operations in South Chhattisgarh ... almost always some looting and explotation

Documents
Modeling trade and financial liberalization effects for ... · The Anti-Globalization view sustains that globalization inherently comes with more explotation at individual and country

Modeling trade and financial liberalization effects for ... · The Anti-Globalization view sustains that globalization inherently comes with more explotation at individual and country

Documents
Hydro Explotation - Apprentissages

Hydro Explotation - Apprentissages

Documents
Aquaculture - agrobiologiekzr.agrobiologie.cz/natural/data/...aquaculture_EN.pdf · “Aquaculture“ differs from capture fisheries or other aquatic organism explotation by level

Aquaculture - agrobiologiekzr.agrobiologie.cz/natural/data/...aquaculture_EN.pdf · “Aquaculture“ differs from capture fisheries or other aquatic organism explotation by level

Documents
TRAFFICKING FOR LABOUR EXPLOTATION - TACKLING … Forced labour is prohibited by the International Covenant of Civil and Political Rights (Article 8), the Charter of Fundamental Rights

TRAFFICKING FOR LABOUR EXPLOTATION - TACKLING … Forced labour is prohibited by the International Covenant of Civil and Political Rights (Article 8), the Charter of Fundamental Rights

Documents
MANAGEMENT STRATEGY OF GEOTHERMAL EXPLORATION … · The next step would be the explotation of selected prospects that can be done by a ... over 20 years. 2. ... constrains on surface

MANAGEMENT STRATEGY OF GEOTHERMAL EXPLORATION … · The next step would be the explotation of selected prospects that can be done by a ... over 20 years. 2. ... constrains on surface

Documents
PROPOSED ALTERATIONS & ADDITIONS · 2009-11-04 · eng's detail beam over beam over beam over beam over beam over provide metal soffit lining over @ 2600mm affl gable over fcl 2600

PROPOSED ALTERATIONS & ADDITIONS · 2009-11-04 · eng's detail beam over beam over beam over beam over beam over provide metal soffit lining over @ 2600mm affl gable over fcl 2600

Documents
Gemeente Groningen 22 September 2011 ©vandeSandeinlezingen,2011 Waar gaan we het over hebben? Over mensen Over feest Over veiligheid Over milieu Over

Gemeente Groningen 22 September 2011 ©vandeSandeinlezingen,2011 Waar gaan we het over hebben? Over mensen Over feest Over veiligheid Over milieu Over

Documents
Over and Over

Over and Over

Documents