I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later.
Yu Yang @tombkeeper did a demo of his technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .
And the exploit is scary, its a quick kaboom with out heap spray.
He calls his method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's pret
Here are couple of quick notes on the bypass Technique :
Good news about the Technique:.
Totally ASLR/DEP free
Language/SP independent
Work on almost all use-after-free/vtable-overflow
Target on IE, firefox, pdf reader, flash, office …
Even don’t need shellcode
Sometimes don’t need heapspray
Need a Windows file sharing server
It is not a real problem
Only work on 32-bit process in x64 Windows
This situation is very common
Can not work on Windows 8
read more to check out the slides.........http://www.garage4hackers.com/blogs/8/dep-aslr-bypass-without-rop-jit-cansecwest2013-slides-analysis-785/