Tag: ASLR

Bypassing Windows ASLR in Microsoft Office using ActiveX controls

This is just a short post highlighting how easily ASLR could be bypassed by instantiating ActiveX controls using certain classids in Microsoft Office. I’ve mainly tested with MS Word on an updated Windows 7 32bit with Office 2010 32bit but other applications such as Excel and PowerPoint should work too. All these classids listed in…


Bypassing Windows ASLR in Microsoft Word using Component Object Model (COM) objects

A couple of months ago a RTF 0-day was used in attacks and to bypass ASLR (Address Space Layout Randomization) it was using a non-ASLR module MSCOMCTL.OCX.  This got me interested to research into how it was actually loading up and discover if there were any more modules that could be used in the future…


Bypassing Windows ASLR using “Run without permission” Add-ons

This is just a short post highlighting a couple of products that if installed could be used to bypass ASLR in Internet Explorer. DivX Player 10.0.2 Yahoo Messenger 11.5.0.228 AOL Instant Messenger 7.5.14.8 These products contain a number of libraries that does not get ASLRed when loaded in memory due to not being compiled with…


Bypassing Windows ASLR using “skype4COM” protocol handler

While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library…


Bypassing Microsoft Windows ASLR with a little help by MS-Help

Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a…