EMET is Microsoft's tool to make exploits more difficult by adding protections like DEP and ASLR. However, the document outlines how an attacker could bypass EMET protections and disable them using return-oriented programming. The attacker identifies a vulnerability in Firebird that provides enough space for payload. Despite EMET protections, the attacker is able to craft a 19 gadget ROP chain to dynamically resolve EMET's base address and modify configuration offsets to disable protections. A demonstration shows it working to exploit a system with EMET installed. Later EMET versions addressed this by storing configuration in randomized memory.

1. FunWith Dr. Brown
Spencer McIntyre
Cleveland B-Sides
July 19th, 2014

2. Introduction
• Who am I?
• Spencer McIntyre
• Security Researcher @SecureState
• Metasploit Project Member
• Why we’re here:
• Introducing Dr. Emmett Brown
• We’re going to talk about Microsoft’s EMET

3. EMET Overview
• The Enhanced Mitigation ExperienceToolkit
• Microsoft’s response for making unknown vulnerabilities more difficult to
exploit
• EMET does not “fix” vulnerabilities, it makes them difficult to exploit
reliably
• Crashes are easy but ain’t nobody got time for that
• Latest versions right now 4.1 (Production) 5.0TP 2 (Technical Preview)

4. How Does EMET Make Exploitation Difficult?
• Protections are divided into 3 categories (Memory, ROP, & Other)
• Key protections:
• DEP
• MandatoryASLR
• NullPage
• StackPivot
• Export Address Filtering (EAF)
• 7 Others in EMET 4.1

5. Application Configuration
• Consult the EMET User’s Guide for details

6. DEP & ASLR
• Every application should use DEP &
ASLR
• Can be configured by both the OS (with or
without EMET) or by applications
• Almost allWindows native modules are
ASLRed since Windows 7+
• Have to be careful about third party
applications

7. Brief History of BypassTechniques
• ASLR and DEP bypass techniques are not EMET specific
• Predate EMET
• “Jump” over hooks
• Can make the exploit become Windows version specific
• November 17th, 2010 SkyLined posts a whitepaper on “Bypassing Export
address table Address Filter (EAF)” targeting EMET 2.0

8. EMET Start Up
• EMET.dll is loaded into the protected process
• Even when no protections are enabled
• The EMET.dll loads the configuration from the
registry
• EMET Configuration is copied to RW segment
• Can be changed at run time by the application
• First noticed in EMET version 4.0

9. Picking AVulnerability
• Desirable Qualities
• Large amount of payload space (>750 bytes)
• No bad characters
• Non-ASLRed executable module (at least, DLLs are a bonus)
• CVE-2013-2492
• Stack Base Buffer Overflow in Firebird Database
• Meets all requirements
• Remotely exploitable for SYSTEM shell with default configuration

10. What ProtectionsWork?
• Protections target specific vulnerabilities
• Not all protections are always applicable (Example: Null Page)
• Protections forCVE-2013-2492 (DEP & ASLR are already bypassed via ROP)
• Caller
• EAF
• Deep Hooks
• Banned Functions

11. What AreWe GoingTo Do?

12. PatchThe ActionVia ROP
• EMET is ASLRed
• GetModuleHandleA() is not a protected function
• ROP chain resolves the EMET base address dynamically
• Change offset from EMET base address to change the configuration
• Two locations for completely disabling
• &EMET+0x0079074 (EMET 4.0 & 4.1)
• &EMET+0x007e07c (EMET 4.0 & 4.1)

13. ConfigurationValue References

14. EMET Disabling ROP Chain
• 19 Gadget EMET Disabling ROP Chain
• Main steps are:
1. Reslove EMET base address via
GetModuleHandleA or similar
2. Calculate offset via constants
3. Modify the values of the offsets

15. The Result
• After patched, trigger all the
protections!
• No shellcode modification
necessary
• Metasploit payloads can be used
• Energy required to exploit?
• Less than 1.21 gigawatts

16. DemoTime

17. EMET 5.0Tech Preview 1
VULNERABLE

18. EMET 5.0Tech Preview 1
• Still vulnerable
• Encoded Pointer is Optional
• What do we do? Disable it!

19. EMET 5.0Tech Preview 2
Fixed

20. EMET 5.0TP2 Fix
• Configuration no longer stored in .data
• Stored in space allocated at run time
• Pointer to configuration is stored in .data
• Protected with EncodePointer/DecodePointer
• Permissions are set to Read Only
• Resolving EncoderPointer via ROP would pose a risk
• Existence in IAT of nonASLRed module
• Overwrite configuration location as in 5.0TP1 bypass

21. ClosingThoughts
• Main executables (.exe’s) without ASLR are bad
• Really bad, not even EMET can fix that
• EMET’s Deep Hooks is a great setting
• Metasploit’s PrependMigrate is also a great setting
• When the going gets tough execute a Powershell command
• This technique is not a silver bullet
• The vulnerability and affected software needs to meet some criteria

22. Timeline
• October 27, 2009: Initial release of EMET 1.0.2 (then Enhanced Mitigation Evaluation
Toolkit)
• June 17, 2013: EMET 4.0 released
• October 28, 2013: SecureState notifies Microsoft's Security ResponseTeam of the flaw in
EMET 4.0. Microsoft responds requesting technical details
• October 29, 2013: SecureState provides Microsoft's Security ResponseTeam with technical
details for the bypass
• November 5, 2013: Microsoft acknowledges technical details from SecureState
• November 12, 2013: EMET 4.1 released (still vulnerable to the bypass)
• November 15, 2013: Microsoft's EMET team contacts SecureState to discuss the bypass
• February 25, 2014: EMET 5.0Technical Preview released, SecureState credited for
collaboration
• April 30, 2014: EMET 4.1 Update 1 and EMET 5.0Technical Preview 2 released
• SecureState's bypass is patched in EMET 5Tech Preview 2.
• July 1st, 2014: Offensive Security posts a blog “Disarming Enhanced Mitigation Experience
Toolkit (EMET)”Outlining this vulnerability

23. Questions?

24. References
• Skypher: http://www.exploit-db.com/wp-
content/themes/exploit/docs/15579.pdf
• 0xdabbad00: http://0xdabbad00.com/wp-
content/uploads/2013/11/emet_4_1_uncovered.pdf
• Exodus Intel: https://www.exodusintel.com/files/Aaron_Portnoy-
Bypassing_All_Of_The_Things.pdf
• Offensive Security Blog: http://www.offensive-
security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-
emet/
• http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf

25. Thanks ForYourTime
• Thanks to Jake Garlie for Research Assistance
• Spencer McIntyre
• @zeroSteiner