ROPs_are_for_the_99_CanSecWest_2014

Recommendations

Info

• Internal implementations are very different – Size of jscript.dll is about 800K – Size of jscript9.dll is about 2800K JScript 9 VS JScript 5.8 • Nearly identical for web developers • Very different for exploit developers • JScript 9 is designed to fast, security is not the highest priority – We should thanks V8 and those speed tests
About JScript 9 I don’t have enough time to fully talk about the internals of JScript 9 today, but I can tell you: JScript 9 is more exploit-friendly. Custom heaps, no gaps, less random More raw internal data structures More “interesting” objects … Although JScript 9 no longer use BSTR to store String object data, but there is some other new data structures like BSTR.
Page 1 and 2: ROPs are for the 99% Yang Yu at NSF
Page 3 and 4: Who am I Researcher at NSFOCUS Secu
Page 5 and 6: Now
Page 7 and 8: This is my original presentation pl
Page 9 and 10: Background
Page 11 and 12: var str = “AAAAAAAA”; Corrupt B
Page 13 and 14: JScript 9 replaced JScript 5.8 sinc
Page 15: Seems we’ve already done: Summon
Page 19 and 20: Array data: JScript 9 “BSTR” va
Page 21 and 22: writeByVul(0x0d0d0018 , 0x30000000)
Page 23 and 24: Noteworthy new “interesting” ob
Page 25 and 26: “Rewriting UAFs” is not rare: C
Page 27 and 28: “Vital Point Strike”
Page 37 and 38: “Interdimensional Execution”
Page 39 and 40: function GetModuleFromImport() We c
Page 41 and 42: Now, we can do this in JS just like
Page 43 and 44: struct _CONTEXT #define CONTEXT_i38
Page 45 and 46: One stone, two birds 0:019> dd 1416
Page 47 and 48: “Interdimensional” ebp FF5504
Page 49 and 50: Native dimention _ShellCode: 000000
Page 51: • I call this technique “Interd
Page 54 and 55: Off topic How to defend against unk
Page 56: Q & A

ROPs_are_for_the_99_CanSecWest_2014

Create successful ePaper yourself

Delete template?

Save as template?