ROPs_are_for_the_99_CanSecWest_2014

Recommendations

Info

function GetBaseAddrByPoiAddr() Even under ASLR, module address is 0x10000 aligned, so we can find the base address of the module according any pointer like this: function GetBaseAddrByPoiAddr( PoiAddr ) { var BaseAddr = 0; BaseAddr = PoiAddr & 0xFFFF0000; while( readDword(BaseAddr) != 0x00905A4D || readDword(BaseAddr+0xC) != 0x0000FFFF ) { BaseAddr -= 0x10000; } return BaseAddr; }
function GetModuleFromImport() We can read the import table of a module, find out the base address of kernel32.dll or others: function GetModuleFromImport( ModuleName, LibAddr ) { var p = 0; var pImport; // PIMAGE_IMPORT_DESCRIPTOR … p = readDword(LibAddr + 0x3C); p = readDword(LibAddr + p + 0x80); pImport = LibAddr + p; while( readDword(pImport+0x0C) != 0 ) {
Page 1 and 2: ROPs are for the 99% Yang Yu at NSF
Page 3 and 4: Who am I Researcher at NSFOCUS Secu
Page 5 and 6: Now
Page 7 and 8: This is my original presentation pl
Page 9 and 10: Background
Page 11 and 12: var str = “AAAAAAAA”; Corrupt B
Page 13 and 14: JScript 9 replaced JScript 5.8 sinc
Page 15 and 16: Seems we’ve already done: Summon
Page 17 and 18: About JScript 9 I don’t have enou
Page 19 and 20: Array data: JScript 9 “BSTR” va
Page 21 and 22: writeByVul(0x0d0d0018 , 0x30000000)
Page 23 and 24: Noteworthy new “interesting” ob
Page 25 and 26: “Rewriting UAFs” is not rare: C
Page 27 and 28: “Vital Point Strike”
Page 37: “Interdimensional Execution”
Page 41 and 42: Now, we can do this in JS just like
Page 43 and 44: struct _CONTEXT #define CONTEXT_i38
Page 45 and 46: One stone, two birds 0:019> dd 1416
Page 47 and 48: “Interdimensional” ebp FF5504
Page 49 and 50: Native dimention _ShellCode: 000000
Page 51: • I call this technique “Interd
Page 54 and 55: Off topic How to defend against unk
Page 56: Q & A

ROPs_are_for_the_99_CanSecWest_2014

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?