1. Defeating public exploit protections (EMET v5.2 and more)
Raghav Pande
FireEye

2. Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

3. Content Introduction to Exploitation Public Protections Bypass
Precisely Targeted

4. Why Exploits? Difficult to understand No proper intel
Can own a Researcher and Newbie alike
You really need to know your stuff

5. Information Tools used are public and free EMET (Microsoft)
Anti Exploit (Malware Bytes)
Hitman Alert (Surfright)
Note: They do a very good job in protecting end users, But nothing is perfect.
Kudos to them!

6. Introduction to Exploitation
Exploits are crafted pieces of Art which can elevate a Software Bug and grant you one time access to Code Execution.
Loopholes or Logic Bugs
Memory Corruption
Information Disclosure

7. Introduction to Exploitation
Details
Pre Exploitation or Setup
Spray
Corruption of Meta-Information
InfoLeak
Exploitation
Corruption
Payload Execution
ROP
CodeExecution
Post Exploitation
Malware

8. Possible Protections Pre Exploitation or Setup Exploitation
Spray
Exploitation
Payload Execution
ROP detection
CodeExecution detection
Post Exploitation
Malware

9. Public Protections 3rd Party support MemProt Rop Shellcode Protection
CallerCheck
StackPivot
SimExecFlow
LoadLibrary
Shellcode Protection
OS & Processor supported
ASLR (Enforced)
DEP (Enforced)

10. Exploitation CVE-2012-1876 IE exploit
Corruption of HeapData by Overflow
ROP
Shellcode to pop calc.exe
Hurdles
Rop Detection
Shellcode Detection
ASLR
DEP

11. Exploitation Defeat DEP by ROP
Defeat ASLR by memory leak (provided in sample exploit)
Crux of Exploitation Detection techniques
Exploitation Detection Hurdles left
ROP
Shellcode
Defeating protections from Stack based exploits is for next meetup probably.

12. Exploitation In the End
Most of browser based vulnerabilities can be used to cover ASLR by leaking memory to form a valid ROP Chain.
Nearly all exploits come down to
1. Spray 2. ROP 3. Shellcode
So we will focus on bypassing these only.

13. Protections
StackPivot Check (ROP)

14. Protections
CallerCheck & SimExecFlow Check (ROP)

15. Protections
Payload Check (Shellcode)

16. Protections
EAF Check (EMET)

17. Differentiate EMET MBAE HITMAN Alert Rop StackPivot Yes
Rop CallerCheck
Yes (Full)
Yes (Dummed)
Rop SimExecFlow No
Payload (Shellcode)
ControlFlow Integrity
(Rop)
EAF
Image Highjack

18. Bypassing
StackPivot
CallerCheck
SimExecFlow
EAF/Payload Check
CFI

19. Bypassing Stackpivot

20. Bypassing Stackpivot

21. Bypassing CallerCheck & SimExecFlow

22. Bypassing CFI Null out LBR before ApiCall
Borrow functions (hard, unless automated)
Be Creative (what we did)
Note: We bypassed a public implementation of CFI, doesn’t mean if its implemented another way it can still be bypassed the same way.

23. Bypassing CFI

24. Bypassing Payload Check

25. Bypassing All protections
In All public exploit mitigation toolkits (Generic) DEMO time

26. Bypassing All protections
StackPivot

27. Targeted Bypassing
EMET 0x779fe695 + poi(0x779fe ) => 0x37df11d0

28. Targeted Bypassing
EMET 0x37df11d0+0x26 => Preserved Function Prologue Jumping into Preserved Function Prologue bypasses Hook and forms a valid api call chain

29. Targeted Bypassing
“Other Tools” Just like EMET we can bypass other public and free toolkits as well. However, That is not the scope of this presentation. =)

30. Conclusion
An attacker who has studied the system can break anything & everything. Best method of protecting yourself is using a custom protection, and never letting the adversary know what you use.

31. Queries?