View
53
Download
0
Embed Size (px)
Citation preview
Defeating public exploit protections (EMET v5.2 and more)
Raghav PandeResearcher @ FireEye
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
ContentIntroduction to ExploitationPublic ProtectionsBypassPrecisely Targeted
Why Exploits?Difficult to understandNo proper intelCan own a Researcher and Newbie alikeYou really need to know your stuff
InformationTools used are public and freeEMET (Microsoft)Anti Exploit (Malware Bytes)Hitman Alert (Surfright)
Note: They do a very good job in protecting end users, But nothing is perfect.
Kudos to them!
Introduction to Exploitation
Exploits are crafted pieces of Art which can elevate a Software Bug and grant you one time access to Code Execution.Loopholes or Logic BugsMemory CorruptionInformation Disclosure
Introduction to Exploitation
Details
Pre Exploitation or SetupSprayCorruption of Meta-InformationInfoLeak
ExploitationCorruptionPayload Execution
ROPCodeExecution
Post ExploitationMalware
Possible ProtectionsPre Exploitation or Setup
Spray
ExploitationPayload Execution
ROP detectionCodeExecution detection
Post ExploitationMalware
Public Protections3rd Party support
MemProt Rop
CallerCheckStackPivotSimExecFlowLoadLibrary
Shellcode ProtectionOS & Processor supported
ASLR (Enforced)DEP (Enforced)
ExploitationCVE-2012-1876
IE exploitCorruption of HeapData by OverflowROPShellcode to pop calc.exe
HurdlesRop DetectionShellcode DetectionASLRDEP
ExploitationDefeat DEP by ROPDefeat ASLR by memory leak (provided in sample exploit)
Crux of Exploitation Detection techniquesExploitation Detection Hurdles left
ROPShellcode
Defeating protections from Stack based exploits is for next meetup probably.
ExploitationIn the End
Most of browser based vulnerabilities can be used to cover ASLR by leaking memory to form a valid ROP Chain.
Nearly all exploits come down to 1. Spray2. ROP3. Shellcode
So we will focus on bypassing these only.
Protections StackPivot Check (ROP)
ProtectionsCallerCheck & SimExecFlow Check
(ROP)
Protections Payload Check (Shellcode)
Protections EAF Check (EMET)
DifferentiateEMET MBAE HITMAN Alert
Rop StackPivot Yes Yes YesRop CallerCheck Yes (Full) Yes (Dummed) Yes (Dummed)Rop SimExecFlow
Yes No No
Payload (Shellcode)
No Yes Yes
ControlFlow Integrity(Rop)
No No Yes
EAF Yes No NoImage Highjack No Yes Yes
BypassingStackPivotCallerCheckSimExecFlowEAF/Payload CheckCFI
Bypassing Stackpivot
Bypassing Stackpivot
Bypassing CallerCheck & SimExecFlow
Bypassing CFINull out LBR before ApiCallBorrow functions (hard, unless automated)Be Creative (what we did)
Note: We bypassed a public implementation of CFI, doesn’t mean if its implemented another way it can still be bypassed the same way.
Bypassing CFI
Bypassing Payload Check
Bypassing All protections
In All public exploit mitigation toolkits (Generic)
DEMO time
Bypassing All protections
StackPivot
Targeted BypassingEMET
0x779fe695 + poi(0x779fe695 + 1) => 0x37df11d0
Targeted BypassingEMET
0x37df11d0+0x26 => Preserved Function Prologue
Jumping into Preserved Function Prologue bypasses Hook and forms a valid api call chain
Targeted Bypassing “Other Tools”
Just like EMET we can bypass other public and free toolkits as well.However, That is not the scope of this presentation. =)
Conclusion
An attacker who has studied the system can break anything & everything.
Best method of protecting yourself is using a custom protection, and never letting the adversary know what you use.
Queries?