正好今天David LeBlanc的blog上更新了一点关于vista安全特性的讨论，其中提到了ASLR的一些绕过，原文这么说的

ASLR – there is a limited amount of randomness in where things show up in memory – only 8 bits. In some cases, you can get 16 bits because you might have 2 things moving independently (e.g., where the stack is and where a DLL loads). Problems you can run into include information leaks, or crashes that tell you things about where DLLs are in memory. Once a DLL is loaded, it stays in the same place. For DLLs used by a lot of apps, this could persist until you reboot. Thus an information leak in one app might help refine an attack against another. It is also true that a poorly implemented exception handler could make ASLR ineffective by allowing as many attacks as you need. This was seen in the .ani exploit. I've written about this problem previously here. ASLR also may not be applied to all DLLs, and that gives you a non-moving target. Additionally, if the exploit mechanics allow it, you might be able to code something that depends on an offset rather than finding a fixed address. For example, if you can jump to a predictable offset from where you are to something that calls the function you want to hit, then you have a way to find the function, even if you cannot predict where it is and go there directly.


这让我想起了我以前写的那个imail的iaspam.dll堆溢出，就是利用了information leaks，可以把内存地址读出来，精确判断栈空间的加载地址。那是一个write any to any的漏洞，所以可以精确覆盖。当时就想过这个漏洞在vista上如果绕过了DEP，应该是也能成功利用的。

David LeBlanc这里举的这些思路都是非常不错的，虽然没啥新东西，但也是个比较好的归纳。

全文我已经转到邮件列表了，不知道会有几个人认真去看。