SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
1.
FunWith Dr. Brown
Spencer McIntyre
Cleveland B-Sides
July 19th, 2014
2.
Introduction
• Who am I?
• Spencer McIntyre
• Security Researcher @SecureState
• Metasploit Project Member
• Why we’re here:
• Introducing Dr. Emmett Brown
• We’re going to talk about Microsoft’s EMET
3.
EMET Overview
• The Enhanced Mitigation ExperienceToolkit
• Microsoft’s response for making unknown vulnerabilities more difficult to
exploit
• EMET does not “fix” vulnerabilities, it makes them difficult to exploit
reliably
• Crashes are easy but ain’t nobody got time for that
• Latest versions right now 4.1 (Production) 5.0TP 2 (Technical Preview)
4.
How Does EMET Make Exploitation Difficult?
• Protections are divided into 3 categories (Memory, ROP, & Other)
• Key protections:
• DEP
• MandatoryASLR
• NullPage
• StackPivot
• Export Address Filtering (EAF)
• 7 Others in EMET 4.1
5.
Application Configuration
• Consult the EMET User’s Guide for details
6.
DEP & ASLR
• Every application should use DEP &
ASLR
• Can be configured by both the OS (with or
without EMET) or by applications
• Almost allWindows native modules are
ASLRed since Windows 7+
• Have to be careful about third party
applications
7.
Brief History of BypassTechniques
• ASLR and DEP bypass techniques are not EMET specific
• Predate EMET
• “Jump” over hooks
• Can make the exploit become Windows version specific
• November 17th, 2010 SkyLined posts a whitepaper on “Bypassing Export
address table Address Filter (EAF)” targeting EMET 2.0
8.
EMET Start Up
• EMET.dll is loaded into the protected process
• Even when no protections are enabled
• The EMET.dll loads the configuration from the
registry
• EMET Configuration is copied to RW segment
• Can be changed at run time by the application
• First noticed in EMET version 4.0
9.
Picking AVulnerability
• Desirable Qualities
• Large amount of payload space (>750 bytes)
• No bad characters
• Non-ASLRed executable module (at least, DLLs are a bonus)
• CVE-2013-2492
• Stack Base Buffer Overflow in Firebird Database
• Meets all requirements
• Remotely exploitable for SYSTEM shell with default configuration
10.
What ProtectionsWork?
• Protections target specific vulnerabilities
• Not all protections are always applicable (Example: Null Page)
• Protections forCVE-2013-2492 (DEP & ASLR are already bypassed via ROP)
• Caller
• EAF
• Deep Hooks
• Banned Functions
12.
PatchThe ActionVia ROP
• EMET is ASLRed
• GetModuleHandleA() is not a protected function
• ROP chain resolves the EMET base address dynamically
• Change offset from EMET base address to change the configuration
• Two locations for completely disabling
• &EMET+0x0079074 (EMET 4.0 & 4.1)
• &EMET+0x007e07c (EMET 4.0 & 4.1)
14.
EMET Disabling ROP Chain
• 19 Gadget EMET Disabling ROP Chain
• Main steps are:
1. Reslove EMET base address via
GetModuleHandleA or similar
2. Calculate offset via constants
3. Modify the values of the offsets
15.
The Result
• After patched, trigger all the
protections!
• No shellcode modification
necessary
• Metasploit payloads can be used
• Energy required to exploit?
• Less than 1.21 gigawatts
20.
EMET 5.0TP2 Fix
• Configuration no longer stored in .data
• Stored in space allocated at run time
• Pointer to configuration is stored in .data
• Protected with EncodePointer/DecodePointer
• Permissions are set to Read Only
• Resolving EncoderPointer via ROP would pose a risk
• Existence in IAT of nonASLRed module
• Overwrite configuration location as in 5.0TP1 bypass
21.
ClosingThoughts
• Main executables (.exe’s) without ASLR are bad
• Really bad, not even EMET can fix that
• EMET’s Deep Hooks is a great setting
• Metasploit’s PrependMigrate is also a great setting
• When the going gets tough execute a Powershell command
• This technique is not a silver bullet
• The vulnerability and affected software needs to meet some criteria
22.
Timeline
• October 27, 2009: Initial release of EMET 1.0.2 (then Enhanced Mitigation Evaluation
Toolkit)
• June 17, 2013: EMET 4.0 released
• October 28, 2013: SecureState notifies Microsoft's Security ResponseTeam of the flaw in
EMET 4.0. Microsoft responds requesting technical details
• October 29, 2013: SecureState provides Microsoft's Security ResponseTeam with technical
details for the bypass
• November 5, 2013: Microsoft acknowledges technical details from SecureState
• November 12, 2013: EMET 4.1 released (still vulnerable to the bypass)
• November 15, 2013: Microsoft's EMET team contacts SecureState to discuss the bypass
• February 25, 2014: EMET 5.0Technical Preview released, SecureState credited for
collaboration
• April 30, 2014: EMET 4.1 Update 1 and EMET 5.0Technical Preview 2 released
• SecureState's bypass is patched in EMET 5Tech Preview 2.
• July 1st, 2014: Offensive Security posts a blog “Disarming Enhanced Mitigation Experience
Toolkit (EMET)”Outlining this vulnerability