Few months ago I did some research regarding the vulnerability in Internet explorer demonstrated by VUPEN team in 2013 Pwn2Own competition. I had always this view in my mind that it would be possible to exploit other primitives in browsers, so I came up with this research that discuss a new method of exploitation in internet explorer. As an example I exploited VUPEN vulnerability(CVE-2013-2551 / MS13-037) by this method. To assure it will not harm anyone the issue is reported to Microsoft and I postponed my disclosure until now.
Abstract
One of the hurdles of any exploit developer is to bypass memory protection mechanisms. These protections are based on the simple idea to protect the attacker against gaining control over EIP and/or executing binary shellcode. The cat and mouse play between vendors implementing better protections and hacker community bypassing them is a historical story so any exploit developer try to gain control over EIP register bypassing some protections like Stack cookie, Safe SEH, VTable guard to execute shellcode bypassing ASLR, DEP. But in this research paper I am going to leave EIP alone and forget about running shellcode to gain code execution. Instead we can exploit better primitives and even gain code execution without EIP=0x41414141.
more here..........http://mallocat.com/subverting-without-eip/
Abstract
One of the hurdles of any exploit developer is to bypass memory protection mechanisms. These protections are based on the simple idea to protect the attacker against gaining control over EIP and/or executing binary shellcode. The cat and mouse play between vendors implementing better protections and hacker community bypassing them is a historical story so any exploit developer try to gain control over EIP register bypassing some protections like Stack cookie, Safe SEH, VTable guard to execute shellcode bypassing ASLR, DEP. But in this research paper I am going to leave EIP alone and forget about running shellcode to gain code execution. Instead we can exploit better primitives and even gain code execution without EIP=0x41414141.
more here..........http://mallocat.com/subverting-without-eip/