Modern operating systems randomise all memory addresses (Address Space Layout Randomisation). Libraries loaded into memory, for example, are loaded into memory with random offsets. The result is that simply discovering a buffer overflow in a browser and so gaining control over the instruction pointer is not sufficient to allow attackers to execute their own code. Exploit writers are faced with the problem of where to jump to.
Kingcope has demonstrated an astonishingly simple trick for ensuring that a DLL is loaded to a specific, known memory address. Using a little JavaScript, he first fills almost all of the system’s memory. He then frees it up bit by bit until the DLL required to run an ActiveX control just fits. The DLL is then loaded to a predictable memory address and the exploit writer can jump to specific code fragments.
