Defeating public exploit protections (EMET v5.2 and more)
- 2. Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here
are solely mine and have nothing to do with the company or the
organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded
is responsible for any damage or loss caused due to use or
misuse of the information presented here.
- 5. Information
Tools used are public and free
EMET (Microsoft)
Anti Exploit (Malware Bytes)
Hitman Alert (Surfright)
Note: They do a very good job in protecting end
users, But nothing is perfect.
Kudos to them!
- 6. Introduction to Exploitation
Exploits are crafted pieces of Art which can
elevate a Software Bug and grant you one time
access to Code Execution.
Loopholes or Logic Bugs
Memory Corruption
Information Disclosure
- 9. Public Protections
3rd Party support
MemProt
Rop
CallerCheck
StackPivot
SimExecFlow
LoadLibrary
Shellcode Protection
OS & Processor supported
ASLR (Enforced)
DEP (Enforced)
- 11. Exploitation
Defeat DEP by ROP
Defeat ASLR by memory leak (provided in
sample exploit)
Crux of Exploitation Detection techniques
Exploitation Detection Hurdles left
ROP
Shellcode
Defeating protections from Stack based exploits
is for next meetup probably.
- 12. Exploitation
In the End
Most of browser based vulnerabilities can be used to
cover ASLR by leaking memory to form a valid ROP
Chain.
Nearly all exploits come down to
1. Spray
2. ROP
3. Shellcode
So we will focus on bypassing these only.
- 17. Differentiate
EMET MBAE HITMAN Alert
Rop StackPivot Yes Yes Yes
Rop CallerCheck Yes (Full) Yes (Dummed) Yes (Dummed)
Rop SimExecFlow Yes No No
Payload
(Shellcode)
No Yes Yes
ControlFlow
Integrity
(Rop)
No No Yes
EAF Yes No No
Image Highjack No Yes Yes
- 22. Bypassing CFI
Null out LBR before ApiCall
Borrow functions (hard, unless automated)
Be Creative (what we did)
Note: We bypassed a public implementation of CFI,
doesn’t mean if its implemented another way it can
still be bypassed the same way.
- 30. Conclusion
An attacker who has studied the system can
break anything & everything.
Best method of protecting yourself is using a
custom protection, and never letting the
adversary know what you use.