Informative Information for the Uninformed | |||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
Next: Conclusion
Up: Temporal Return Addresses
Previous: Calculating Viable Opcode Windows
  Contents
Case study: Example applicationAside from Windows' processes having SharedUserData present, it may also be possible, depending on the application in question, to find other temporal addresses at static locations across various operating system versions. Take for instance the following example program that simply calls time every second and stores it in a local variable on the stack named t: #include <windows.h> #include <time.h> void main() { unsigned long t; while (1) { t = time(NULL); SleepEx(1000, TRUE); } } When the telescope program is run against a running instance of this example program, the results produced are: C:\>telescope 3004 [*] Attaching to process 3004 (5 polling cycles)... [*] Polling address space........ Temporal address locations: 0x0012FE24 [Size=4, Scale=Counter, Period=70 msec] 0x0012FE88 [Size=4, Scale=Counter, Period=1 sec] 0x0012FE9C [Size=4, Scale=Counter, Period=1 sec] 0x0012FF7C [Size=4, Scale=Epoch (1970), Period=1 sec] 0x7FFE0000 [Size=4, Scale=Counter, Period=600 msec] 0x7FFE0014 [Size=8, Scale=Epoch (1601), Period=100 nsec] Judging from the source code of the example application it would seem clear that the address 0x0012ff7c coincides with the local variable t which is used to store the number of seconds since 1970. Indeed, the t variable also has an update period of one second as indicated by the telescope program. The other finds may be either inaccurate or not useful depending on the particular situation, but due to the fact that they were identified as counters instead of being relative to one of the two epoch times most likely makes them unusable. In order to write an exploit that can leverage the temporal address t, it is first necessary to take the steps outlined in this document with regard to calculating the duration of each byte index and then building a list of all the viable opcode permutations. The duration of each byte index for a four byte timer with a one second period are shown in figure .
The starting byte index for this temporal address is byte index one due to the fact that it has the smallest feasible window of time for an exploit to be launched (4 mins 16 secs). After identifying this starting byte index, permutations for all the viable opcodes can be generated. All the permutations from 1970 to 2038 are shown in figure . Nearly all of the viable opcode windows conveyed in figure have a window of 4 minutes. Only a few have a window of 18 hours. To get a better idea for what the future has in store for a timer like this one, table shows the upcoming viable opcode windows for 2005.
Next: Conclusion
Up: Temporal Return Addresses
Previous: Calculating Viable Opcode Windows
  Contents
|