defeating public exploit protections (emet v5.2 and more)

Defeating public exploit protections (EMET v5.2 and more)

Raghav PandeResearcher @ FireEye

Disclaimer

The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.

However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

Content

Introduction to Exploitation

Public Protections

Bypass

Precisely Targeted

Why Exploits?

Difficult to understand

No proper intel

Can own a Researcher and Newbie alike

You really need to know your stuff

Information

Tools used are public and free

EMET (Microsoft)

Anti Exploit (Malware Bytes)

Hitman Alert (Surfright)

Note: They do a very good job in protecting end users, But nothing is perfect.

Kudos to them!

Introduction to Exploitation

Exploits are crafted pieces of Art which can elevate a Software Bug and grant you one time access to Code Execution.

Loopholes or Logic Bugs

Memory Corruption

Information Disclosure

Introduction to Exploitation

Details

Pre Exploitation or SetupSpray

Corruption of Meta-Information

InfoLeak

ExploitationCorruption

Payload ExecutionROP

CodeExecution

Post ExploitationMalware

Possible Protections

Pre Exploitation or SetupSpray

ExploitationPayload Execution

ROP detection

CodeExecution detection

Post ExploitationMalware

Public Protections3rd Party support

MemProt

RopCallerCheck

StackPivot

SimExecFlow

LoadLibrary

Shellcode Protection

OS & Processor supported

ASLR (Enforced)

DEP (Enforced)

Exploitation

CVE-2012-1876

IE exploitCorruption of HeapData by Overflow

ROP

Shellcode to pop calc.exe

Hurdles

Rop Detection

Shellcode Detection

ASLR

DEP

Exploitation

Defeat DEP by ROP

Defeat ASLR by memory leak (provided in sample exploit)

Crux of Exploitation Detection techniques

Exploitation Detection Hurdles leftROP

Shellcode

Defeating protections from Stack based exploits is for next meetup probably.

Exploitation

In the End

Most of browser based vulnerabilities can be used to cover ASLR by leaking memory to form a valid ROP Chain.

Nearly all exploits come down to

1. Spray2. ROP3. Shellcode

So we will focus on bypassing these only.

Protections StackPivot Check (ROP)

ProtectionsCallerCheck & SimExecFlow Check

(ROP)

Protections Payload Check (Shellcode)

Protections EAF Check (EMET)

DifferentiateEMET MBAE HITMAN Alert

Rop StackPivot Yes Yes Yes

Rop CallerCheck Yes (Full) Yes (Dummed) Yes (Dummed)

Rop SimExecFlow

Yes No No

Payload (Shellcode)

No Yes Yes

ControlFlow Integrity(Rop)

No No Yes

EAF Yes No No

Image Highjack No Yes Yes

Bypassing

StackPivot

CallerCheck

SimExecFlow

EAF/Payload Check

CFI

Bypassing Stackpivot

Bypassing Stackpivot

Bypassing CallerCheck & SimExecFlow

Bypassing CFI

Null out LBR before ApiCall

Borrow functions (hard, unless automated)

Be Creative (what we did)

Note: We bypassed a public implementation of CFI, doesn’t mean if its implemented another way it can still be bypassed the same way.

Bypassing CFI

Bypassing Payload Check

Bypassing All protections

In All public exploit mitigation toolkits (Generic)

DEMO time

Bypassing All protections

StackPivot

Targeted Bypassing

EMET

0x779fe695 + poi(0x779fe695 + 1) => 0x37df11d0

Targeted Bypassing

EMET

0x37df11d0+0x26 => Preserved Function Prologue

Jumping into Preserved Function Prologue bypasses Hook and forms a valid api call chain

Targeted Bypassing

“Other Tools”

Just like EMET we can bypass other public and free toolkits as well.

However, That is not the scope of this presentation. =)

Conclusion

An attacker who has studied the system can break anything & everything.

Best method of protecting yourself is using a custom protection, and never letting the adversary know what you use.

Queries?