"u tin, ti cm n Dan Rosenberg v nhng thng tin th v v c ch ngn chn ROP trn Windows 8 m anh y chia s.

. ng thi, ti nh gi cao n lc ca Nguyen Hong Son, anh chng ng nghip tr ca ti, trong vic c th ha phng php bypass ca Dan thnh mt generic ROP chain. Tuy nhin, d nhn thy c hai nhc im tn ti trong ROP chain : - Th nht, n yu cu phi c EAX tr n mt gi tr stack hp l trc khi vo ROP chain. Nu khng c c iu ny, ROP chain s khng s dng c. Thc t, c nhiu trng hp ta khng th c thanh ghi no lu gi li gi tr ca ESP (chng hn cc trng hp thc hin pivot stack bng lnh MOV ESP,R32 ch khng phi XCHG). Thm ch ngay c khi c thanh ghi no khc EAX lu tr gi tr hp l ca ESP, th vic chuyn n v EAX bng cc ROP gadgets khng phi lc no cng d dng. Nh vy, c mt generic ROP chain c th dng ph bin cho Windows 8, nhc im ny cn phi c khc phc. - Hn ch na nm di ca ROP chain. Trong khi hin nay, cc generic ROP chain ph bin trn Windows 7 rt ngn (18 dwords vi new Corelanc0d3rs ROP chain, v 22 dwords vi Sayonaras ROP chain), th ROP chain ny li cha khong 100 dwords. Anh bn ca ti hay ai theo phng php ca Dan c th s lm cho the ROP chain ngn hn c cht na nu ch ti u trong vic s dng cc ROP gadgets, nhng n vn s rt di nu em so vi nhng ROP chain Windows 7, ti tin vy. Ging nh i vi shellcode ni chung, di cng l mt vn ng quan tm i vi mt ROP chain. Mc d c th t khi m khai thc ca chng ta gp vn vi s chnh lch di ny, ti vn cho rng mt ROP chain ngn gn trng s p v hon ho hn. Tp trung ngh v c ch bo v ca Windows 8, ti to ra mt generic ROP chain mi theo phng php ca ring mnh. V quan trng l n khc phc c hai nhc im nu trn..." Hi all. Lm pht khuy ng phong tro "va lm, va chi, va xi c qu" cho n xm

Trn u l trch on m bi blog m anh vit xong, ang ch BBT dch. Anh ly lun n lm bi cho cuc thi nh ny. C th hn, t mt bi blog ca bn Ty m chng ta bit n c ch chng ROP trn Win 8, nh anh ni trong bui seminar n. Anh th nghim phng php theo bi vit , ri sau SnNHD vit mt Generic ROP chain cho Win8, v kt qu thu c l bi blog m mi ngi thy. Tuy nhin c hai vn , c th coi l nhc im ca ROP chain ny m mnh c th thy c t ngay trong qu trnh SnNHD xy dng n. Lc , cng mun khc phc nhng cha ngh ra gii php kh d.

n gn y, thy my m khai thc li Firefox, IE vit cho metasploit, u s dng cc generic ROP chain Win7 ngn gn, ph bin. Li thy bi blog mi ra ca mnh c kh nhiu bn . Nn anh mi xem xt ti u li ROP chain ca SnNHD cho n ngn gn hn. Tuy nhin, k c p i, vit li ci mi (vn theo phng php ca bn Ty) th anh cng ch thu c n v tm 50 dwords, vn di qu so vi khong 20 dwords ca ROP chain Win7. V th, anh th ngh khc i mt cht so vi cch bn Ty, v ri theo cch y, anh c th d dng vit mt chui ROP mi, ngn gn hn (tm 2x n 3x dwords). Mt khc, anh cng tm c li gii cho vn "yu cu phi c EAX tr n stack hp l". Cn by gi, anh ly li hai vn ny lm hai bi ton c lp cho cc bn sinh vin phng 1 (v c cc bn khc na nu thch) th gii, nhn thng ca anh. - Li gii l mt ROP chain chy c trn Windows 8, s dng cc a ch ca mt th vin ph bin, chng hn msvcr71.dll nh cc generic ROP chain W7 thng s dng. ( anh cng dng th vin ny). - ROP chain ch cn <= 35 dwords l c coi gii c bi ton di. - Phn thng : mi bi ton c gii, s c mt na tin nhun bt bi blog ny ca anh c trao cho ngi u tin. Ai gii quyt xong c 2 vn th ng nhin s lnh trn nhun bt bi blog ny, ng thi, anh s xem xt xut thng thm. - Thi hn : trc khi bi blog c ng (d on gia tun sau). Chi i thi, cc bn tr.