Defeating public exploit protections (EMET v5.2 and more)
•Download as PPTX, PDF•
4 likes•1,226 views
Presented by Raghav Pande in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.
Report
Share
Defeating public exploit protections (EMET v5.2 and more)
- 1. Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye
- 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working. However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
- 3. Content Introduction to Exploitation Public Protections Bypass Precisely Targeted
- 4. Why Exploits? Difficult to understand No proper intel Can own a Researcher and Newbie alike You really need to know your stuff
- 5. Information Tools used are public and free EMET (Microsoft) Anti Exploit (Malware Bytes) Hitman Alert (Surfright) Note: They do a very good job in protecting end users, But nothing is perfect. Kudos to them!
- 6. Introduction to Exploitation Exploits are crafted pieces of Art which can elevate a Software Bug and grant you one time access to Code Execution. Loopholes or Logic Bugs Memory Corruption Information Disclosure
- 7. Introduction to Exploitation Details Pre Exploitation or Setup Spray Corruption of Meta-Information InfoLeak Exploitation Corruption Payload Execution ROP CodeExecution Post Exploitation Malware
- 8. Possible Protections Pre Exploitation or Setup Spray Exploitation Payload Execution ROP detection CodeExecution detection Post Exploitation Malware
- 9. Public Protections 3rd Party support MemProt Rop CallerCheck StackPivot SimExecFlow LoadLibrary Shellcode Protection OS & Processor supported ASLR (Enforced) DEP (Enforced)
- 10. Exploitation CVE-2012-1876 IE exploit Corruption of HeapData by Overflow ROP Shellcode to pop calc.exe Hurdles Rop Detection Shellcode Detection ASLR DEP
- 11. Exploitation Defeat DEP by ROP Defeat ASLR by memory leak (provided in sample exploit) Crux of Exploitation Detection techniques Exploitation Detection Hurdles left ROP Shellcode Defeating protections from Stack based exploits is for next meetup probably.
- 12. Exploitation In the End Most of browser based vulnerabilities can be used to cover ASLR by leaking memory to form a valid ROP Chain. Nearly all exploits come down to 1. Spray 2. ROP 3. Shellcode So we will focus on bypassing these only.
- 14. Protections CallerCheck & SimExecFlow Check (ROP)
- 17. Differentiate EMET MBAE HITMAN Alert Rop StackPivot Yes Yes Yes Rop CallerCheck Yes (Full) Yes (Dummed) Yes (Dummed) Rop SimExecFlow Yes No No Payload (Shellcode) No Yes Yes ControlFlow Integrity (Rop) No No Yes EAF Yes No No Image Highjack No Yes Yes
- 22. Bypassing CFI Null out LBR before ApiCall Borrow functions (hard, unless automated) Be Creative (what we did) Note: We bypassed a public implementation of CFI, doesn’t mean if its implemented another way it can still be bypassed the same way.
- 23. Bypassing CFI
- 25. Bypassing All protections In All public exploit mitigation toolkits (Generic) DEMO time
- 27. Targeted Bypassing EMET 0x779fe695 + poi(0x779fe695 + 1) => 0x37df11d0
- 28. Targeted Bypassing EMET 0x37df11d0+0x26 => Preserved Function Prologue Jumping into Preserved Function Prologue bypasses Hook and forms a valid api call chain
- 29. Targeted Bypassing “Other Tools” Just like EMET we can bypass other public and free toolkits as well. However, That is not the scope of this presentation. =)
- 30. Conclusion An attacker who has studied the system can break anything & everything. Best method of protecting yourself is using a custom protection, and never letting the adversary know what you use.
- 31. Queries?