Advanced Return Address Discovery Using Context-Aware Machine Code Emulation

No ratings

Presented at Blackhat USA 2004 by

Yuji Uka

Payloads intended to execute attacker-provided code typically require a static address of code already existing in the vulnerable process's address space, in order to redirect execution back into code accompanying the payload. Historically, exploit authors have resorted to finding the addresses of byte sequences that perform a call or jump to the address loaded in a register at the moment when execution can be hijacked. These "return addresses" are typically infrequent in an address space and may vary with the version of the program being attacked, making the discovery of version-independent or character-restricted addresses extremely rare. With the "EEREAP" (eEye Emulating Return Address Purveyor) project, we aim to revolutionize the practice of return address discovery by employing machine code emulation and exceptionally more finely-grained context awareness in order to exhaustively locate the addresses in an address space that are suitable to redirect execution into payload data. In this presentation, we will discuss how EEREAP works, how to use it as a tool for exploit coding, and what can be accomplished with this new generation of return address enumeration technology.