3. Vulnerability & Exploit
Vulnerability: A serious bug in the software
program that can allow to compromise the
execution state of the trusted running
application.
Exploit: A software code that takes the
advantage of vulnerability and hijacks the
execution of the trusted running application.
4. Shellcode
exploit = vulnerability + shellcode
Shellcode is the actual malicious code that
attacker wants to execute after execution
hijacking.
Shellcode properties [important]:
• should resolve the API addresses at run
time.
6. DEP
DEP - Data Execution Prevention - Heap and
stack are by default not executable.
• Use existing code from DLLs to bypass
DEP.. in other words use ROP (Return
Oriented Programming)
• ROP relies on the memory addresses of the
gadgets in the DLLs.
7. ASLR
ASLR - Address Space Layout Randomisation
VA = BA + RVA
• VA : Virtual Address
• BA : Base Address
• RVA : Relative Virtual Address
Randomise the BA to get the different VA i.e ASLR
Remember? In DEP bypass we need VA of the gadgets.
9. EAF/EAF+
Export Address table filtering
• safeguard the export table of ntdll and kernel32 using
debug registers.
EAF+
• safeguard the export table of ntdll, kernel32,kernelbase
with some additional shellcode checks.
• provides blacklisting of the dlls that should not be allowed
to access the protected locations.
10. EMET Bypass
Use of IAT to resolve the APIs in shellcode.
We observed this in Angler exploit kit April
2016.
DEMO
reference: https://www.fireeye.com/blog/threat-
research/2016/06/angler_exploit_kite.html
11. Conclusion
It is difficult for an external tool to protect an
application for exploit because all validations
will be mostly based on API calls. ROP
checks etc. are not organic detections.
If ITW exploit kits are using creative bypass
methods then imagine the level of
sophistication in very targeted attacks.