[28795] in bugtraq
Re: Preventing exploitation with rebasing
daemon@ATHENA.MIT.EDU (Todd Sabin)
Wed Feb 5 18:56:17 2003
To: David Litchfield <david@ngssoftware.com>
From: Todd Sabin <tsabin@optonline.net>
Date: 05 Feb 2003 16:30:45 -0500
In-Reply-To: <000701c2cd01$78c960c0$2601010a@recovery> (David Litchfield's message of "Wed, 05 Feb 2003 02:29:32 -0800")
Message-ID: <m3y94u4dq2.fsf@jetcar.qnz.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
David Litchfield <david@ngssoftware.com> writes:
> Going back to exe image files and rebasing. Surely they can be rebased even
> without a .reloc section? All I need to do is edit the image base in the PE
> header then parse the assembly looking for absolute addresses such as
> function addresses, static variables etc and modify these addresses, too.
This can't work in general. You need to have a list of what should be
relocated (the .reloc section), because otherwise you're just guessing
and may well guess wrong.
>
> For example assume an image base for an exe is 0x00400000 and the c code
> does
>
> printf("hello");
>
> This will generate something like
>
> push 0x0042001C // push pointer to hello
> call 0x00401060 // call printf
>
> If I then make the image base 0x00410000 and I also change
>
> push 0x0042001C
> call 0x00401060
>
> to become
>
> push 0x0043001C
> call 0x00411060
>
> then the exe should still run (as long as you get all the absolute
> addresses) and it has been rebased.
>
> ?
What would happen in this case?:
...
CheckSectionFlags (section,
IMAGE_SCN_ALIGN_8BYTES | IMAGE_SCN_MEM_PURGEABLE);
...
It may generate something like
push 0x00420000 // push flags
push 0x00420148 // push section
call 0x00401290 // call CheckSectionFlags
If you try to rebase that without a .reloc section, as you describe,
you'll change the meaning of the program because you have no way to
tell that the 0x00420000 is a constant and not a relocatable reference
to something else. (The IMAGE... flags are from winnt.h and probably
meaningless the way I've used them above, but you get the idea...)
--
Todd Sabin <tsabin@optonline.net>
BindView RAZOR Team <tsabin@razor.bindview.com>
