I've received a great number of mails about rebasing a system. So I'll sumarise here > This won't protect against heap overflows etc. Agreed. The suggestion I was making was that exploits that rely on a specific instruction such as "jmp esp" being at a specific address can be defeated or slowed down by this. >You can brute force the address space. Yes - you can - IF the server stays up. In many cases it does not. In those cases where the server does stay up at least you _have_ to brute force. It means that you haven't compromised my server straight away. In the interim of the exploit starting the attack on the server and the server being compromised I'd hope that my _other_ defences such as IDS/IPS will notice that something is awry. > It's better to patch Of course it is. (If you do rebase a system though you'll need to re-rebase it after applying patches.) >or mark the stack as non-executable Sure. But in the absence of this rebasing can help protect. > Most exe's don't have a .reloc section and can't be rebased. Agreed. I was in error and forgot when writing the mail. That said even if the exe can't be rebased then default Image Base is 0x00400000. _If_ there was a suitable instruction in the exe image - one that will get you back to the actual code - then this address has a NULL in it. Many vulnerabilities require the arbitrary code to go after the saved return address as everything above gets munged. So the possibility of exploitation is reduced - note reduced - not negated.[Of course - in the case of unicode overflows the NULL is not an problem] What determines whether this is a reasonable protection method/step to take is the cost versus likelihood of attack. It's easy to rebase a system so the cost is low. As most Windows exploits are simple affairs the likelihood of attack is fairly high. Those that rebase their system will be vulnerable to c. 30-40% of exploits. Those that don't will be vulnerable to 100%. What I'm trying to say is that, "If my system has to be/or is going to be vulnerable to a vulnerability - I want to make sure that it's going to be a better than average exploit that suceeds in gaining control." Security is about putting as many hurdles in front of an attacker as possible. The more hurdles the less likely they are to break in. I'm not forcing anyone to adopt this as a "hurdle" to add. I put it forward simply as another line of defence that people may choose to do if they wish. Take it or leave it. Cheers, David Litchfield