Cleveland BSides 2014 presentation on EMET.

1. FunWith Dr. Brown
Spencer McIntyre
Cleveland B-Sides
July 19th, 2014

2. Introduction
• Who am I?
• Spencer McIntyre
• Security Researcher @SecureState
• Metasploit Project Member
• Why we’re here:
• Introducing Dr. Emmett Brown
• We’re going to talk about Microsoft’s EMET

3. EMET Overview
• The Enhanced Mitigation ExperienceToolkit
• Microsoft’s response for making unknown vulnerabilities more difficult to
exploit
• EMET does not “fix” vulnerabilities, it makes them difficult to exploit
reliably
• Crashes are easy but ain’t nobody got time for that
• Latest versions right now 4.1 (Production) 5.0TP 2 (Technical Preview)

4. How Does EMET Make Exploitation Difficult?
• Protections are divided into 3 categories (Memory, ROP, & Other)
• Key protections:
• DEP
• MandatoryASLR
• NullPage
• StackPivot
• Export Address Filtering (EAF)
• 7 Others in EMET 4.1

5. Application Configuration
• Consult the EMET User’s Guide for details

6. DEP & ASLR
• Every application should use DEP &
ASLR
• Can be configured by both the OS (with or
without EMET) or by applications
• Almost allWindows native modules are
ASLRed since Windows 7+
• Have to be careful about third party
applications

7. Brief History of BypassTechniques
• ASLR and DEP bypass techniques are not EMET specific
• Predate EMET
• “Jump” over hooks
• Can make the exploit become Windows version specific
• November 17th, 2010 SkyLined posts a whitepaper on “Bypassing Export
address table Address Filter (EAF)” targeting EMET 2.0

8. EMET Start Up
• EMET.dll is loaded into the protected process
• Even when no protections are enabled
• The EMET.dll loads the configuration from the
registry
• EMET Configuration is copied to RW segment
• Can be changed at run time by the application
• First noticed in EMET version 4.0

9. Picking AVulnerability
• Desirable Qualities
• Large amount of payload space (>750 bytes)
• No bad characters
• Non-ASLRed executable module (at least, DLLs are a bonus)
• CVE-2013-2492
• Stack Base Buffer Overflow in Firebird Database
• Meets all requirements
• Remotely exploitable for SYSTEM shell with default configuration

10. What ProtectionsWork?
• Protections target specific vulnerabilities
• Not all protections are always applicable (Example: Null Page)
• Protections forCVE-2013-2492 (DEP & ASLR are already bypassed via ROP)
• Caller
• EAF
• Deep Hooks
• Banned Functions

11. What AreWe GoingTo Do?

12. PatchThe ActionVia ROP
• EMET is ASLRed
• GetModuleHandleA() is not a protected function
• ROP chain resolves the EMET base address dynamically
• Change offset from EMET base address to change the configuration
• Two locations for completely disabling
• &EMET+0x0079074 (EMET 4.0 & 4.1)
• &EMET+0x007e07c (EMET 4.0 & 4.1)

13. ConfigurationValue References

14. EMET Disabling ROP Chain
• 19 Gadget EMET Disabling ROP Chain
• Main steps are:
1. Reslove EMET base address via
GetModuleHandleA or similar
2. Calculate offset via constants
3. Modify the values of the offsets

15. The Result
• After patched, trigger all the
protections!
• No shellcode modification
necessary
• Metasploit payloads can be used
• Energy required to exploit?
• Less than 1.21 gigawatts

16. DemoTime

17. EMET 5.0Tech Preview 1
VULNERABLE

18. EMET 5.0Tech Preview 1
• Still vulnerable
• Encoded Pointer is Optional
• What do we do? Disable it!

19. EMET 5.0Tech Preview 2
Fixed

20. EMET 5.0TP2 Fix
• Configuration no longer stored in .data
• Stored in space allocated at run time
• Pointer to configuration is stored in .data
• Protected with EncodePointer/DecodePointer
• Permissions are set to Read Only
• Resolving EncoderPointer via ROP would pose a risk
• Existence in IAT of nonASLRed module
• Overwrite configuration location as in 5.0TP1 bypass

21. ClosingThoughts
• Main executables (.exe’s) without ASLR are bad
• Really bad, not even EMET can fix that
• EMET’s Deep Hooks is a great setting
• Metasploit’s PrependMigrate is also a great setting
• When the going gets tough execute a Powershell command
• This technique is not a silver bullet
• The vulnerability and affected software needs to meet some criteria

22. Timeline
• October 27, 2009: Initial release of EMET 1.0.2 (then Enhanced Mitigation Evaluation
Toolkit)
• June 17, 2013: EMET 4.0 released
• October 28, 2013: SecureState notifies Microsoft's Security ResponseTeam of the flaw in
EMET 4.0. Microsoft responds requesting technical details
• October 29, 2013: SecureState provides Microsoft's Security ResponseTeam with technical
details for the bypass
• November 5, 2013: Microsoft acknowledges technical details from SecureState
• November 12, 2013: EMET 4.1 released (still vulnerable to the bypass)
• November 15, 2013: Microsoft's EMET team contacts SecureState to discuss the bypass
• February 25, 2014: EMET 5.0Technical Preview released, SecureState credited for
collaboration
• April 30, 2014: EMET 4.1 Update 1 and EMET 5.0Technical Preview 2 released
• SecureState's bypass is patched in EMET 5Tech Preview 2.
• July 1st, 2014: Offensive Security posts a blog “Disarming Enhanced Mitigation Experience
Toolkit (EMET)”Outlining this vulnerability

23. Questions?

24. References
• Skypher: http://www.exploit-db.com/wp-
content/themes/exploit/docs/15579.pdf
• 0xdabbad00: http://0xdabbad00.com/wp-
content/uploads/2013/11/emet_4_1_uncovered.pdf
• Exodus Intel: https://www.exodusintel.com/files/Aaron_Portnoy-
Bypassing_All_Of_The_Things.pdf
• Offensive Security Blog: http://www.offensive-
security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-
emet/
• http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf

25. Thanks ForYourTime
• Thanks to Jake Garlie for Research Assistance
• Spencer McIntyre
• @zeroSteiner