Broken ASLR in windows executable
ASLR (Address Space Layout Randomization) is a windows feature to complicate writing exploits. The provided tor executable in the windows expert bundle doesn't have full ASLR support.
A windows executable must have two features to fully support ASLR:
In the PE header the following DllCharacteristics flag must be set IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (0x0040). Tor has this value correctly set.
PE relocation table. To successfully randomize the address space of the executable, the PE loader must know what addresses need to be adjusted. Therefore to randomize the image base (standard image base: 0x00400000) the PE file must have a relocation table. Tor is missing the relocation table. As a result, the image base is always 0x00400000 and this is bad.
The linker should provide a switch to include a relocation table.
PS: Greetings from the 30C3. Nice presentation yesterday.