SlideShare a Scribd company logo
FunWith Dr. Brown
Spencer McIntyre
Cleveland B-Sides
July 19th, 2014
Introduction
• Who am I?
• Spencer McIntyre
• Security Researcher @SecureState
• Metasploit Project Member
• Why we’re here:
• Introducing Dr. Emmett Brown
• We’re going to talk about Microsoft’s EMET
EMET Overview
• The Enhanced Mitigation ExperienceToolkit
• Microsoft’s response for making unknown vulnerabilities more difficult to
exploit
• EMET does not “fix” vulnerabilities, it makes them difficult to exploit
reliably
• Crashes are easy but ain’t nobody got time for that
• Latest versions right now 4.1 (Production) 5.0TP 2 (Technical Preview)
How Does EMET Make Exploitation Difficult?
• Protections are divided into 3 categories (Memory, ROP, & Other)
• Key protections:
• DEP
• MandatoryASLR
• NullPage
• StackPivot
• Export Address Filtering (EAF)
• 7 Others in EMET 4.1
Application Configuration
• Consult the EMET User’s Guide for details
DEP & ASLR
• Every application should use DEP &
ASLR
• Can be configured by both the OS (with or
without EMET) or by applications
• Almost allWindows native modules are
ASLRed since Windows 7+
• Have to be careful about third party
applications
Brief History of BypassTechniques
• ASLR and DEP bypass techniques are not EMET specific
• Predate EMET
• “Jump” over hooks
• Can make the exploit become Windows version specific
• November 17th, 2010 SkyLined posts a whitepaper on “Bypassing Export
address table Address Filter (EAF)” targeting EMET 2.0
EMET Start Up
• EMET.dll is loaded into the protected process
• Even when no protections are enabled
• The EMET.dll loads the configuration from the
registry
• EMET Configuration is copied to RW segment
• Can be changed at run time by the application
• First noticed in EMET version 4.0
Picking AVulnerability
• Desirable Qualities
• Large amount of payload space (>750 bytes)
• No bad characters
• Non-ASLRed executable module (at least, DLLs are a bonus)
• CVE-2013-2492
• Stack Base Buffer Overflow in Firebird Database
• Meets all requirements
• Remotely exploitable for SYSTEM shell with default configuration
What ProtectionsWork?
• Protections target specific vulnerabilities
• Not all protections are always applicable (Example: Null Page)
• Protections forCVE-2013-2492 (DEP & ASLR are already bypassed via ROP)
• Caller
• EAF
• Deep Hooks
• Banned Functions
What AreWe GoingTo Do?
PatchThe ActionVia ROP
• EMET is ASLRed
• GetModuleHandleA() is not a protected function
• ROP chain resolves the EMET base address dynamically
• Change offset from EMET base address to change the configuration
• Two locations for completely disabling
• &EMET+0x0079074 (EMET 4.0 & 4.1)
• &EMET+0x007e07c (EMET 4.0 & 4.1)
ConfigurationValue References
EMET Disabling ROP Chain
• 19 Gadget EMET Disabling ROP Chain
• Main steps are:
1. Reslove EMET base address via
GetModuleHandleA or similar
2. Calculate offset via constants
3. Modify the values of the offsets
The Result
• After patched, trigger all the
protections!
• No shellcode modification
necessary
• Metasploit payloads can be used
• Energy required to exploit?
• Less than 1.21 gigawatts
DemoTime
EMET 5.0Tech Preview 1
VULNERABLE
EMET 5.0Tech Preview 1
• Still vulnerable
• Encoded Pointer is Optional
• What do we do? Disable it!
EMET 5.0Tech Preview 2
Fixed
EMET 5.0TP2 Fix
• Configuration no longer stored in .data
• Stored in space allocated at run time
• Pointer to configuration is stored in .data
• Protected with EncodePointer/DecodePointer
• Permissions are set to Read Only
• Resolving EncoderPointer via ROP would pose a risk
• Existence in IAT of nonASLRed module
• Overwrite configuration location as in 5.0TP1 bypass
ClosingThoughts
• Main executables (.exe’s) without ASLR are bad
• Really bad, not even EMET can fix that
• EMET’s Deep Hooks is a great setting
• Metasploit’s PrependMigrate is also a great setting
• When the going gets tough execute a Powershell command
• This technique is not a silver bullet
• The vulnerability and affected software needs to meet some criteria
Timeline
• October 27, 2009: Initial release of EMET 1.0.2 (then Enhanced Mitigation Evaluation
Toolkit)
• June 17, 2013: EMET 4.0 released
• October 28, 2013: SecureState notifies Microsoft's Security ResponseTeam of the flaw in
EMET 4.0. Microsoft responds requesting technical details
• October 29, 2013: SecureState provides Microsoft's Security ResponseTeam with technical
details for the bypass
• November 5, 2013: Microsoft acknowledges technical details from SecureState
• November 12, 2013: EMET 4.1 released (still vulnerable to the bypass)
• November 15, 2013: Microsoft's EMET team contacts SecureState to discuss the bypass
• February 25, 2014: EMET 5.0Technical Preview released, SecureState credited for
collaboration
• April 30, 2014: EMET 4.1 Update 1 and EMET 5.0Technical Preview 2 released
• SecureState's bypass is patched in EMET 5Tech Preview 2.
• July 1st, 2014: Offensive Security posts a blog “Disarming Enhanced Mitigation Experience
Toolkit (EMET)”Outlining this vulnerability
Questions?
References
• Skypher: http://www.exploit-db.com/wp-
content/themes/exploit/docs/15579.pdf
• 0xdabbad00: http://0xdabbad00.com/wp-
content/uploads/2013/11/emet_4_1_uncovered.pdf
• Exodus Intel: https://www.exodusintel.com/files/Aaron_Portnoy-
Bypassing_All_Of_The_Things.pdf
• Offensive Security Blog: http://www.offensive-
security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-
emet/
• http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
Thanks ForYourTime
• Thanks to Jake Garlie for Research Assistance
• Spencer McIntyre
• @zeroSteiner

More Related Content

What's hot

Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
Tamas K Lengyel
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
Tamas K Lengyel
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Packers
PackersPackers
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
Sam Bowne
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
Sam Bowne
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 

What's hot (20)

Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Packers
PackersPackers
Packers
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 

Similar to Fun With Dr Brown

Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: IntroductionOracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
terrencebarr
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
FFRI, Inc.
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...
XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...
XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...
The Linux Foundation
 
Objectives andwarmups
Objectives andwarmupsObjectives andwarmups
Objectives andwarmups
mma8108
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
Frank van der Linden
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
gree_tech
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
Raahul Raghavan
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
ssusere142fe
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RAC
Secure-24
 
CoreML
CoreMLCoreML
CoreML
Ali Akhtar
 
Training Slides: 103 - Basics - Simple Tungsten Clustering Installation
Training Slides: 103 - Basics - Simple Tungsten Clustering InstallationTraining Slides: 103 - Basics - Simple Tungsten Clustering Installation
Training Slides: 103 - Basics - Simple Tungsten Clustering Installation
Continuent
 
What Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versaWhat Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versa
Brendan Gregg
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Ontico
 

Similar to Fun With Dr Brown (20)

Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: IntroductionOracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...
XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...
XPDDS17: Dedicated Secure Domain as Approach for Certification of Automotive ...
 
Objectives andwarmups
Objectives andwarmupsObjectives andwarmups
Objectives andwarmups
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
 
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RAC
 
CoreML
CoreMLCoreML
CoreML
 
Training Slides: 103 - Basics - Simple Tungsten Clustering Installation
Training Slides: 103 - Basics - Simple Tungsten Clustering InstallationTraining Slides: 103 - Basics - Simple Tungsten Clustering Installation
Training Slides: 103 - Basics - Simple Tungsten Clustering Installation
 
What Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versaWhat Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versa
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 

Fun With Dr Brown

  • 1. FunWith Dr. Brown Spencer McIntyre Cleveland B-Sides July 19th, 2014
  • 2. Introduction • Who am I? • Spencer McIntyre • Security Researcher @SecureState • Metasploit Project Member • Why we’re here: • Introducing Dr. Emmett Brown • We’re going to talk about Microsoft’s EMET
  • 3. EMET Overview • The Enhanced Mitigation ExperienceToolkit • Microsoft’s response for making unknown vulnerabilities more difficult to exploit • EMET does not “fix” vulnerabilities, it makes them difficult to exploit reliably • Crashes are easy but ain’t nobody got time for that • Latest versions right now 4.1 (Production) 5.0TP 2 (Technical Preview)
  • 4. How Does EMET Make Exploitation Difficult? • Protections are divided into 3 categories (Memory, ROP, & Other) • Key protections: • DEP • MandatoryASLR • NullPage • StackPivot • Export Address Filtering (EAF) • 7 Others in EMET 4.1
  • 5. Application Configuration • Consult the EMET User’s Guide for details
  • 6. DEP & ASLR • Every application should use DEP & ASLR • Can be configured by both the OS (with or without EMET) or by applications • Almost allWindows native modules are ASLRed since Windows 7+ • Have to be careful about third party applications
  • 7. Brief History of BypassTechniques • ASLR and DEP bypass techniques are not EMET specific • Predate EMET • “Jump” over hooks • Can make the exploit become Windows version specific • November 17th, 2010 SkyLined posts a whitepaper on “Bypassing Export address table Address Filter (EAF)” targeting EMET 2.0
  • 8. EMET Start Up • EMET.dll is loaded into the protected process • Even when no protections are enabled • The EMET.dll loads the configuration from the registry • EMET Configuration is copied to RW segment • Can be changed at run time by the application • First noticed in EMET version 4.0
  • 9. Picking AVulnerability • Desirable Qualities • Large amount of payload space (>750 bytes) • No bad characters • Non-ASLRed executable module (at least, DLLs are a bonus) • CVE-2013-2492 • Stack Base Buffer Overflow in Firebird Database • Meets all requirements • Remotely exploitable for SYSTEM shell with default configuration
  • 10. What ProtectionsWork? • Protections target specific vulnerabilities • Not all protections are always applicable (Example: Null Page) • Protections forCVE-2013-2492 (DEP & ASLR are already bypassed via ROP) • Caller • EAF • Deep Hooks • Banned Functions
  • 12. PatchThe ActionVia ROP • EMET is ASLRed • GetModuleHandleA() is not a protected function • ROP chain resolves the EMET base address dynamically • Change offset from EMET base address to change the configuration • Two locations for completely disabling • &EMET+0x0079074 (EMET 4.0 & 4.1) • &EMET+0x007e07c (EMET 4.0 & 4.1)
  • 14. EMET Disabling ROP Chain • 19 Gadget EMET Disabling ROP Chain • Main steps are: 1. Reslove EMET base address via GetModuleHandleA or similar 2. Calculate offset via constants 3. Modify the values of the offsets
  • 15. The Result • After patched, trigger all the protections! • No shellcode modification necessary • Metasploit payloads can be used • Energy required to exploit? • Less than 1.21 gigawatts
  • 17. EMET 5.0Tech Preview 1 VULNERABLE
  • 18. EMET 5.0Tech Preview 1 • Still vulnerable • Encoded Pointer is Optional • What do we do? Disable it!
  • 20. EMET 5.0TP2 Fix • Configuration no longer stored in .data • Stored in space allocated at run time • Pointer to configuration is stored in .data • Protected with EncodePointer/DecodePointer • Permissions are set to Read Only • Resolving EncoderPointer via ROP would pose a risk • Existence in IAT of nonASLRed module • Overwrite configuration location as in 5.0TP1 bypass
  • 21. ClosingThoughts • Main executables (.exe’s) without ASLR are bad • Really bad, not even EMET can fix that • EMET’s Deep Hooks is a great setting • Metasploit’s PrependMigrate is also a great setting • When the going gets tough execute a Powershell command • This technique is not a silver bullet • The vulnerability and affected software needs to meet some criteria
  • 22. Timeline • October 27, 2009: Initial release of EMET 1.0.2 (then Enhanced Mitigation Evaluation Toolkit) • June 17, 2013: EMET 4.0 released • October 28, 2013: SecureState notifies Microsoft's Security ResponseTeam of the flaw in EMET 4.0. Microsoft responds requesting technical details • October 29, 2013: SecureState provides Microsoft's Security ResponseTeam with technical details for the bypass • November 5, 2013: Microsoft acknowledges technical details from SecureState • November 12, 2013: EMET 4.1 released (still vulnerable to the bypass) • November 15, 2013: Microsoft's EMET team contacts SecureState to discuss the bypass • February 25, 2014: EMET 5.0Technical Preview released, SecureState credited for collaboration • April 30, 2014: EMET 4.1 Update 1 and EMET 5.0Technical Preview 2 released • SecureState's bypass is patched in EMET 5Tech Preview 2. • July 1st, 2014: Offensive Security posts a blog “Disarming Enhanced Mitigation Experience Toolkit (EMET)”Outlining this vulnerability
  • 24. References • Skypher: http://www.exploit-db.com/wp- content/themes/exploit/docs/15579.pdf • 0xdabbad00: http://0xdabbad00.com/wp- content/uploads/2013/11/emet_4_1_uncovered.pdf • Exodus Intel: https://www.exodusintel.com/files/Aaron_Portnoy- Bypassing_All_Of_The_Things.pdf • Offensive Security Blog: http://www.offensive- security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit- emet/ • http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
  • 25. Thanks ForYourTime • Thanks to Jake Garlie for Research Assistance • Spencer McIntyre • @zeroSteiner