Skip to content

Bypassing EMET 3.5’s ROP Mitigations

August 8, 2012

UPDATE : It seems MS was aware of this kind of bypasses, so I bypassed EMET ROP mitigations using another EMET’s implementation mistake. EMET team forget about the KernelBase.dll and left all its functions unprotected. so I used @antic0de‘s method for finding base address of kernelbase.dll at run-time, then I used VirtualProtect inside the kernelbase.dll, not ntdll.dll or krenel32.dll. you can get new exploit at the end of this post.

I have managed to bypass EMET 3.5, which is recently released after Microsoft BlueHat Prize, and wrote full-functioning exploit for CVE-2011-1260 (I choosed this CVE randomly!) with all EMET’s ROP mitigation enabled.


EMET’s ROP mitigation works around hooking certain APIs (Like VirtualProtect) with Shim Engine and monitors their initialization.I have used SHARED_USER_DATA which mapped at fixed address “0x7FFE0000” to find KiFastSystemCall address (SystemCallStub at “0x7FFE0300”), So I could call any syscall by now!By calling ZwProtectVirtualMemory’s SYSCALL “0x0D7”, I made shellcode’s memory address RWX. After this step I could execute any instruction I wanted. But to execute actual shellcode (with hooked APIs like “WinExec”) I did patched EMET to be deactivated completely. BOOM! you can use both this methods for generally bypassing EMET ROP mitigations in other exploits, all you need is to bypass ASLR.

Here is the asm code which makes EMET 3.5 deactivated  And actual exploit.

  1. Matt Gibson permalink

    Very nicely done. I’m impressed!

    Would you argue that EMET’s mostly useless then?

    • Snake permalink

      at some points EMET is still usefull, because writing a full functional exploit which bypass all it’s protection at once need chance and some vulnerability specific condition’s.but at all it is possible to fully bypass it in most of browser’s use-after-free vulnerabilities.EMET is lucky because we never seen such exploit in wild until now ; >

  2. Eva Manolova permalink

    This clip is not honest. this clip was crafted to serve a purpose not to sow the truth. It is non shown if hardware DEP s running, it is not shown if hardware virutalization is running, at current state whatever the author says might be made up to cover up. EMET’s protection was WEAKENED deliberately so the demonstration can go successful. The main system wide settings were set to OPT-IN, where almost no software opts into protection. DEP was OPT-IN, SEHOP was OPT-IN, ASLR was OPT-IN, and if hardware DEP is disabled from bios/CPU this renders DEP next to useless. from the next two screens, for those with fast eye, and fast finger on the mouse click, you will see that iexplore.exe was opted out of all protections except ROP. This gives the author plenty of opportunity to circumvent ROP protection, by using other explotation techniques, which could be stopped cold in their tracks if all protections and mitigations were running. also ROP is heavy dependent on knowing where your stuff is. ASLR running at full force makes ROP that much harder because all is randomized and you have no real idea where things are. ASLR Alone makes ROP Exploitation that much harder, exactly because it randomizes all the stack and pointers and you will not have an idea where all pointers you need are.

    • Snake permalink

      It seems you don’t understand what this exploit do and how ASLR and DEP are useless.
      I don’t want to fool you by Demo, if you doubt download the PoC and test it yourself. and for the record it is very easy to bypass EMET with full protection ON ( you just need to turn the use-aftre-free to a memory leak).

Trackbacks & Pingbacks

  1. Frankenstein computer virus « Later On
  2. Improvement of Pwnypot – Week 2 and 3 | Honeynet Project GSoC 2013 Status Updates
  3. Improvement of Pwnypot – Week 4 | Honeynet Project GSoC 2013 Status Updates
  4. Microsoft EMET 4.0 - Новая планка безопасности
  5. New Enhanced Mitigation Experience Toolkit v4.1 (EMET)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: