Hacker Bypasses Windows 7/8 Address Space Layout Randomization

By Friday, January 25, 2013 0 , , , Permalink 0

Going by the name KingCope, the hacker who released a dozen exploits targeting MySQL, SSH last December, has detailed a mechanism through which ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space. KingCope has explained the method in a blog post along with a PoC.

The method includes filling up of system’s entire memory through execution of JavaScript following which the memory can be freed block by block up until just enough memory is available to load a desired DLL. The address space of the freed up memory would thus be known thereby facilitating the hacker with a known jump to address.

Once done, the rest of the memory, which was filled up earlier, can be freed and known exploit methods of spraying the heap and heap corruption can be used to exploit the system.