Explore cutting-edge Windows exploitation techniques in this 50-minute Black Hat conference talk. Delve into two new DEP bypass methods, two ASLR bypass techniques, and various lesser-known exploration skills that don't rely on ROP, JIT, third-party plugins, or Non-ASLR modules. Learn how these OS-independent and often CPU-independent approaches enable "Write Once, Pwn Anywhere" exploits. Discover the intricacies of corrupting BSTR prefixes, leveraging JScript 9 String object sprays, manipulating Array data prefixes and lengths, and exploiting interdimensional execution. Gain insights into vital attack points, safe mode switches in JScript objects, and utilizing JavaScript for "LoadLibrary" and "GetProcAddress" functions. Understand why these novel techniques may prove challenging to detect and identify, making them valuable knowledge for both offensive and defensive security professionals.
Overview
Syllabus
Intro
Corrupt BSTR prefix
JScript 9 String object spray mojo
Corrupt JScript 9 Array data prefix
JScript 9 Array data length mojo
Vital Points in the human body
Safe Mode switch in JScript object
"LoadLibrary" via JavaScript
function GetProcAddress()
Object operation call
Native dimention
Script dimention
Interdimensional Execution
Taught by
Black Hat
