Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.
-
Upload
rosanna-richard -
Category
Documents
-
view
219 -
download
0
Transcript of Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.
![Page 1: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/1.jpg)
Defeating public exploit protections (EMET v5.2 and more)
Raghav PandeResearcher @ FireEye
![Page 2: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/2.jpg)
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
![Page 3: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/3.jpg)
Content
Introduction to Exploitation
Public Protections
Bypass
Precisely Targeted
![Page 4: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/4.jpg)
Why Exploits?
Difficult to understand
No proper intel
Can own a Researcher and Newbie alike
You really need to know your stuff
![Page 5: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/5.jpg)
Information
Tools used are public and free
EMET (Microsoft)
Anti Exploit (Malware Bytes)
Hitman Alert (Surfright)
Note: They do a very good job in protecting end users, But nothing is perfect.
Kudos to them!
![Page 6: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/6.jpg)
Introduction to Exploitation
Exploits are crafted pieces of Art which can elevate a Software Bug and grant you one time access to Code Execution.
Loopholes or Logic Bugs
Memory Corruption
Information Disclosure
![Page 7: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/7.jpg)
Introduction to Exploitation
Details
Pre Exploitation or SetupSpray
Corruption of Meta-Information
InfoLeak
ExploitationCorruption
Payload ExecutionROP
CodeExecution
Post ExploitationMalware
![Page 8: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/8.jpg)
Possible Protections
Pre Exploitation or SetupSpray
ExploitationPayload Execution
ROP detection
CodeExecution detection
Post ExploitationMalware
![Page 9: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/9.jpg)
Public Protections3rd Party support
MemProt
RopCallerCheck
StackPivot
SimExecFlow
LoadLibrary
Shellcode Protection
OS & Processor supported
ASLR (Enforced)
DEP (Enforced)
![Page 10: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/10.jpg)
Exploitation
CVE-2012-1876
IE exploitCorruption of HeapData by Overflow
ROP
Shellcode to pop calc.exe
Hurdles
Rop Detection
Shellcode Detection
ASLR
DEP
![Page 11: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/11.jpg)
Exploitation
Defeat DEP by ROP
Defeat ASLR by memory leak (provided in sample exploit)
Crux of Exploitation Detection techniques
Exploitation Detection Hurdles leftROP
Shellcode
Defeating protections from Stack based exploits is for next meetup probably.
![Page 12: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/12.jpg)
Exploitation
In the End
Most of browser based vulnerabilities can be used to cover ASLR by leaking memory to form a valid ROP Chain.
Nearly all exploits come down to
1. Spray2. ROP3. Shellcode
So we will focus on bypassing these only.
![Page 13: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/13.jpg)
Protections StackPivot Check (ROP)
![Page 14: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/14.jpg)
ProtectionsCallerCheck & SimExecFlow Check
(ROP)
![Page 15: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/15.jpg)
Protections Payload Check (Shellcode)
![Page 16: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/16.jpg)
Protections EAF Check (EMET)
![Page 17: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/17.jpg)
DifferentiateEMET MBAE HITMAN Alert
Rop StackPivot Yes Yes Yes
Rop CallerCheck Yes (Full) Yes (Dummed) Yes (Dummed)
Rop SimExecFlow
Yes No No
Payload (Shellcode)
No Yes Yes
ControlFlow Integrity(Rop)
No No Yes
EAF Yes No No
Image Highjack No Yes Yes
![Page 18: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/18.jpg)
Bypassing
StackPivot
CallerCheck
SimExecFlow
EAF/Payload Check
CFI
![Page 19: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/19.jpg)
Bypassing Stackpivot
![Page 20: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/20.jpg)
Bypassing Stackpivot
![Page 21: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/21.jpg)
Bypassing CallerCheck & SimExecFlow
![Page 22: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/22.jpg)
Bypassing CFI
Null out LBR before ApiCall
Borrow functions (hard, unless automated)
Be Creative (what we did)
Note: We bypassed a public implementation of CFI, doesn’t mean if its implemented another way it can still be bypassed the same way.
![Page 23: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/23.jpg)
Bypassing CFI
![Page 24: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/24.jpg)
Bypassing Payload Check
![Page 25: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/25.jpg)
Bypassing All protections
In All public exploit mitigation toolkits (Generic)
DEMO time
![Page 26: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/26.jpg)
Bypassing All protections
StackPivot
![Page 27: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/27.jpg)
Targeted Bypassing
EMET
0x779fe695 + poi(0x779fe695 + 1) => 0x37df11d0
![Page 28: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/28.jpg)
Targeted Bypassing
EMET
0x37df11d0+0x26 => Preserved Function Prologue
Jumping into Preserved Function Prologue bypasses Hook and forms a valid api call chain
![Page 29: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/29.jpg)
Targeted Bypassing
“Other Tools”
Just like EMET we can bypass other public and free toolkits as well.
However, That is not the scope of this presentation. =)
![Page 30: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/30.jpg)
Conclusion
An attacker who has studied the system can break anything & everything.
Best method of protecting yourself is using a custom protection, and never letting the adversary know what you use.
![Page 31: Defeating public exploit protections (EMET v5.2 and more) Raghav Pande Researcher @ FireEye.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649de45503460f94adbd34/html5/thumbnails/31.jpg)
Queries?