0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/407 Thanks! 1 00:00:09,060 --> 00:00:10,919 Hello and welcome to my talk about Emet 2 00:00:10,920 --> 00:00:12,119 Amore Cuttone. 3 00:00:12,120 --> 00:00:13,679 My name is Jennifer Gruebel, and I'm 4 00:00:13,680 --> 00:00:15,269 going to tell you something about exploit 5 00:00:15,270 --> 00:00:17,159 development and especially about how to 6 00:00:17,160 --> 00:00:19,609 pybus different mitigation techniques 7 00:00:19,610 --> 00:00:21,149 in the next minutes. 8 00:00:21,150 --> 00:00:22,379 So let's have a look at the plan for 9 00:00:22,380 --> 00:00:23,380 today. 10 00:00:28,040 --> 00:00:29,299 First of all, I will give you a short 11 00:00:29,300 --> 00:00:31,039 introduction about my personal and my 12 00:00:31,040 --> 00:00:33,299 company after that to come to the basics, 13 00:00:33,300 --> 00:00:35,419 so I will introduce concepts 14 00:00:35,420 --> 00:00:37,639 like address regulation or trade 15 00:00:37,640 --> 00:00:39,529 execution prevention to you. 16 00:00:39,530 --> 00:00:41,509 I will also talk about the Firefox 17 00:00:41,510 --> 00:00:43,489 winnability, which I will use during this 18 00:00:43,490 --> 00:00:45,019 talk to demonstrate the proposed 19 00:00:45,020 --> 00:00:47,209 techniques on top of it after that 20 00:00:47,210 --> 00:00:48,889 to come to the first event related 21 00:00:48,890 --> 00:00:50,659 chapter. It's about finding or locating 22 00:00:50,660 --> 00:00:52,829 Emmett in memory, and we will 23 00:00:52,830 --> 00:00:54,109 see why this is important in this 24 00:00:54,110 --> 00:00:56,149 chapter. And after that, I come to 25 00:00:56,150 --> 00:00:58,219 advance cautery use technique, which 26 00:00:58,220 --> 00:00:59,959 is a technique which is already public, 27 00:00:59,960 --> 00:01:01,879 well-known by explorer developers. 28 00:01:01,880 --> 00:01:04,189 But I think if you are trying to talk 29 00:01:04,190 --> 00:01:06,199 about how it can be bypassed, this 30 00:01:06,200 --> 00:01:08,419 technique is really useful and that's why 31 00:01:08,420 --> 00:01:10,009 I've included it here. 32 00:01:10,010 --> 00:01:11,419 After that, we come to a different 33 00:01:11,420 --> 00:01:13,339 mitigation techniques of Emet so that 34 00:01:13,340 --> 00:01:15,859 they would talk about five different 35 00:01:15,860 --> 00:01:16,489 protections. 36 00:01:16,490 --> 00:01:17,989 So the return or indeed the programing 37 00:01:17,990 --> 00:01:20,180 protections and about address base 38 00:01:21,950 --> 00:01:24,289 protection and how we can prevent these 39 00:01:24,290 --> 00:01:25,310 mitigation techniques 40 00:01:26,480 --> 00:01:28,249 at the end. I will give you some final 41 00:01:28,250 --> 00:01:31,099 thoughts and show you the demonstration. 42 00:01:31,100 --> 00:01:32,509 And you also have time to ask him some 43 00:01:32,510 --> 00:01:33,510 questions. 44 00:01:34,970 --> 00:01:36,439 As already mentioned, money invested in 45 00:01:36,440 --> 00:01:38,689 different groups are working since 46 00:01:38,690 --> 00:01:40,639 about two years ago as a security 47 00:01:40,640 --> 00:01:42,529 consultant at a concert. 48 00:01:42,530 --> 00:01:44,419 And I'm also currently a student at the 49 00:01:44,420 --> 00:01:46,279 Technical University of Vienna. 50 00:01:46,280 --> 00:01:47,959 I am doing there my bachelor's thesis 51 00:01:47,960 --> 00:01:48,889 about exploitation. 52 00:01:48,890 --> 00:01:50,899 And I really want to thank my professor, 53 00:01:50,900 --> 00:01:52,939 Kristin Platzer Sorry 54 00:01:54,230 --> 00:01:56,839 that he gave me 55 00:01:56,840 --> 00:01:58,309 this possibility to write about such a 56 00:01:58,310 --> 00:01:59,310 great topic. 57 00:02:00,560 --> 00:02:02,119 I also have here once lied about my 58 00:02:02,120 --> 00:02:03,629 company second site. 59 00:02:03,630 --> 00:02:05,509 I think the most interesting part for you 60 00:02:05,510 --> 00:02:07,009 is that we are currently hiring. 61 00:02:07,010 --> 00:02:09,168 So if you want to work as a security 62 00:02:09,169 --> 00:02:11,329 consultant in Germany, just drop me 63 00:02:11,330 --> 00:02:13,339 a mail or just go to our website or come 64 00:02:13,340 --> 00:02:14,340 to me after the talk. 65 00:02:16,160 --> 00:02:17,160 Now, BASIX. 66 00:02:18,990 --> 00:02:21,089 Expectation was quite easy 15 67 00:02:21,090 --> 00:02:22,949 years ago, so in the year 2000, if you 68 00:02:22,950 --> 00:02:25,059 have to write Buffalo or follow a state 69 00:02:25,060 --> 00:02:27,209 based buffalo, you just have to pay it 70 00:02:27,210 --> 00:02:29,069 until you reach the return address or at 71 00:02:29,070 --> 00:02:30,389 the return address was a hard call. 72 00:02:30,390 --> 00:02:32,819 That address pointing again to the SEC 73 00:02:32,820 --> 00:02:34,439 and police the area code and are 74 00:02:34,440 --> 00:02:35,609 scheduled to be executed. 75 00:02:35,610 --> 00:02:37,979 And everything is working nowadays. 76 00:02:37,980 --> 00:02:39,629 Everything becomes a little bit harder 77 00:02:39,630 --> 00:02:41,069 because we have many, many different 78 00:02:41,070 --> 00:02:42,839 protections there, which must be 79 00:02:42,840 --> 00:02:44,279 bypassed. 80 00:02:44,280 --> 00:02:46,289 So are on the left side, you see a 81 00:02:46,290 --> 00:02:47,819 picture of some of the names of these 82 00:02:47,820 --> 00:02:48,839 protections. 83 00:02:48,840 --> 00:02:50,879 This is not a complete list, but from the 84 00:02:50,880 --> 00:02:52,289 perspective of the tech, we have to 85 00:02:52,290 --> 00:02:54,479 bypass all these mitigation techniques. 86 00:02:54,480 --> 00:02:56,619 And the two biggest ones here are 87 00:02:56,620 --> 00:02:58,709 teeth, execution, prevention, depth and 88 00:02:58,710 --> 00:03:01,739 address. Islamisation Yesil are 89 00:03:01,740 --> 00:03:03,209 just a quick question. 90 00:03:03,210 --> 00:03:04,679 Who have, you know, state execution 91 00:03:04,680 --> 00:03:06,869 prevention? Just raise your hand. 92 00:03:06,870 --> 00:03:09,209 OK, it's good to have, you know, 93 00:03:09,210 --> 00:03:10,889 address mispronunciations. 94 00:03:10,890 --> 00:03:13,139 OK, so just go very quickly 95 00:03:13,140 --> 00:03:15,329 over this and then we move on. 96 00:03:15,330 --> 00:03:17,519 The idea of addressing Islamisation is 97 00:03:17,520 --> 00:03:19,949 that everything is loaded at a random 98 00:03:19,950 --> 00:03:21,389 address in the memory. 99 00:03:21,390 --> 00:03:22,889 So first start Firefox's or any 100 00:03:22,890 --> 00:03:25,049 application two times everything. 101 00:03:25,050 --> 00:03:27,179 The old code sections or data sections 102 00:03:27,180 --> 00:03:29,379 will be loaded, a random address so 103 00:03:29,380 --> 00:03:31,169 fraught. So from the perspective of the 104 00:03:31,170 --> 00:03:33,419 attacker, I don't know anything 105 00:03:33,420 --> 00:03:34,860 where the data is in memory 106 00:03:35,880 --> 00:03:37,259 and the idea of data execution 107 00:03:37,260 --> 00:03:39,329 prevention. On the other side is that 108 00:03:39,330 --> 00:03:41,339 data which is stored on a stack or under 109 00:03:41,340 --> 00:03:43,499 the heap, there should just be data 110 00:03:43,500 --> 00:03:45,479 stored, which is read and write, but not 111 00:03:45,480 --> 00:03:46,409 executable. 112 00:03:46,410 --> 00:03:49,609 So that means I can just make a sound, 113 00:03:49,610 --> 00:03:51,839 uh, the pictures as read 114 00:03:51,840 --> 00:03:53,969 and write, but not as executable. 115 00:03:53,970 --> 00:03:55,619 That means if I stole my childhood on a 116 00:03:55,620 --> 00:03:57,779 stack and tried to execute it, it would 117 00:03:57,780 --> 00:03:59,609 just segmentation for it because this 118 00:03:59,610 --> 00:04:01,859 page is not marked as executable. 119 00:04:01,860 --> 00:04:02,909 And yes, 120 00:04:04,350 --> 00:04:06,329 that typical of to the state execution 121 00:04:06,330 --> 00:04:08,129 prevention is to use a technique which is 122 00:04:08,130 --> 00:04:09,959 called return data. 123 00:04:09,960 --> 00:04:11,789 That means I'm just returning to already 124 00:04:11,790 --> 00:04:13,439 existing caught in the program. 125 00:04:13,440 --> 00:04:15,179 So I'm just executing one, two, three 126 00:04:15,180 --> 00:04:17,129 instructions which are currently there in 127 00:04:17,130 --> 00:04:19,049 the program and then return to the next 128 00:04:19,050 --> 00:04:20,999 one to three and structure instructions 129 00:04:21,000 --> 00:04:22,409 and then train all these instructions 130 00:04:22,410 --> 00:04:24,989 together. The new logic in the program, 131 00:04:24,990 --> 00:04:26,669 for example, logic to disable data 132 00:04:26,670 --> 00:04:28,829 execution prevention and 133 00:04:28,830 --> 00:04:30,809 see why it's so hard to address B 134 00:04:30,810 --> 00:04:32,789 sterilization and execution prevention 135 00:04:32,790 --> 00:04:34,859 together, because if SLR 136 00:04:34,860 --> 00:04:36,509 is also there, this address of this 137 00:04:36,510 --> 00:04:38,369 already exists in Courtice randomized. 138 00:04:38,370 --> 00:04:40,079 So I don't know where this already 139 00:04:40,080 --> 00:04:42,269 existing code is stored in memory. 140 00:04:42,270 --> 00:04:44,459 So the typical way is the first thumbhole 141 00:04:44,460 --> 00:04:46,539 address Islamisation, for example. 142 00:04:46,540 --> 00:04:48,179 I can turn to winnability into an 143 00:04:48,180 --> 00:04:50,549 information disclosable winnability 144 00:04:50,550 --> 00:04:52,649 by making Patchell overwrites or I 145 00:04:52,650 --> 00:04:54,569 think the length of Springfields or 146 00:04:54,570 --> 00:04:56,639 something like that, and then leaked 147 00:04:56,640 --> 00:04:59,039 the base address of one module. 148 00:04:59,040 --> 00:05:01,379 And based on this module attent 149 00:05:01,380 --> 00:05:03,479 developer option to disable data 150 00:05:03,480 --> 00:05:05,609 execution prevention, you will see this 151 00:05:05,610 --> 00:05:07,709 concept in some slides, some 152 00:05:07,710 --> 00:05:10,079 later slides, and I'll 153 00:05:10,080 --> 00:05:12,419 show you the Firefox winnability 154 00:05:12,420 --> 00:05:14,549 and this case I have chosen 155 00:05:14,550 --> 00:05:16,709 the Firefox array, right winnability, 156 00:05:16,710 --> 00:05:18,239 which is a little bit older once it's 157 00:05:18,240 --> 00:05:20,429 from 2011, because 158 00:05:20,430 --> 00:05:22,409 then I can show you the exploitation code 159 00:05:22,410 --> 00:05:24,569 without risking that any attacker 160 00:05:24,570 --> 00:05:25,920 can abuse this code here. 161 00:05:27,240 --> 00:05:29,279 It also works very reliable against all 162 00:05:29,280 --> 00:05:31,199 different kinds of operating systems to 163 00:05:31,200 --> 00:05:33,119 starting from Windows XP suspect zero 164 00:05:33,120 --> 00:05:35,279 until Windows eight, that one and two 165 00:05:35,280 --> 00:05:37,139 Kampala's address Islamisation data 166 00:05:37,140 --> 00:05:38,609 execution prevention. 167 00:05:38,610 --> 00:05:41,459 We are not doing stuff like keep spraying 168 00:05:41,460 --> 00:05:43,139 because he springs one technique which 169 00:05:43,140 --> 00:05:45,089 can be used to defeat aggressive 170 00:05:45,090 --> 00:05:47,249 Islamisation, because the idea is 171 00:05:47,250 --> 00:05:48,929 that it just store the data in the 172 00:05:48,930 --> 00:05:50,039 complete memory range. 173 00:05:50,040 --> 00:05:51,839 So just spraying the data is a complete 174 00:05:51,840 --> 00:05:53,759 memory range. That means you can use any 175 00:05:53,760 --> 00:05:56,609 address because the data is everywhere. 176 00:05:56,610 --> 00:05:58,469 And the problem here is that the price 177 00:05:58,470 --> 00:06:00,569 would freeze for some seconds 178 00:06:00,570 --> 00:06:02,159 while we are doing the spraying. 179 00:06:02,160 --> 00:06:03,479 And that means that the victim could 180 00:06:03,480 --> 00:06:05,759 notice that an attack is ongoing. 181 00:06:05,760 --> 00:06:07,619 And this case, if the victim goes to my 182 00:06:07,620 --> 00:06:09,359 website, you really notice nothing. 183 00:06:09,360 --> 00:06:10,769 So there is no difference. 184 00:06:10,770 --> 00:06:12,239 The price is not crashing. 185 00:06:12,240 --> 00:06:13,799 It just looks like a normal website. 186 00:06:13,800 --> 00:06:16,019 It is just infected with my payload. 187 00:06:17,580 --> 00:06:19,259 Unfortunately, I don't have enough time 188 00:06:19,260 --> 00:06:21,479 to talk about all details of this 189 00:06:21,480 --> 00:06:22,679 winnability today. 190 00:06:22,680 --> 00:06:24,359 So if you want to find out more, just 191 00:06:24,360 --> 00:06:26,129 have a look at this great talk by 192 00:06:26,130 --> 00:06:27,599 Heartiness. 193 00:06:27,600 --> 00:06:29,699 It's called A Tale of it's called a tale 194 00:06:29,700 --> 00:06:30,779 of two Firefox's box. 195 00:06:30,780 --> 00:06:32,819 You can find it on YouTube or just have a 196 00:06:32,820 --> 00:06:34,409 look at my Petrilla work, which I will 197 00:06:34,410 --> 00:06:36,450 release in two or three weeks. 198 00:06:41,330 --> 00:06:43,169 For everyone who doesn't know the array 199 00:06:43,170 --> 00:06:45,349 reduce functional dysfunction can 200 00:06:45,350 --> 00:06:47,479 be used to invoke a callback functions on 201 00:06:47,480 --> 00:06:49,009 all elements of 202 00:06:50,960 --> 00:06:52,250 so giving one second. 203 00:06:57,430 --> 00:07:00,189 So, yeah, 204 00:07:00,190 --> 00:07:01,509 for anyone who does not know the reduced 205 00:07:01,510 --> 00:07:02,859 function, it can be used to invoke a 206 00:07:02,860 --> 00:07:04,449 callback function, all elements of an 207 00:07:04,450 --> 00:07:06,279 array. So let's say that the callback 208 00:07:06,280 --> 00:07:08,469 function is the print function. 209 00:07:08,470 --> 00:07:09,999 It would just go to the first element, 210 00:07:10,000 --> 00:07:10,939 invoked his function. 211 00:07:10,940 --> 00:07:13,089 Also print the first element and 212 00:07:13,090 --> 00:07:15,069 then the next one, print this one and so 213 00:07:15,070 --> 00:07:17,229 on until it reaches the last element 214 00:07:18,250 --> 00:07:20,349 and the array reviews right function 215 00:07:20,350 --> 00:07:22,329 on the other side. Just start with the 216 00:07:22,330 --> 00:07:24,459 last element, with the right element 217 00:07:24,460 --> 00:07:26,529 and go from right to left. 218 00:07:26,530 --> 00:07:28,689 And starting with the last element means 219 00:07:28,690 --> 00:07:30,039 that you start with the element that 220 00:07:30,040 --> 00:07:31,809 index length minus one. 221 00:07:31,810 --> 00:07:33,619 And the problem is that in charge script, 222 00:07:33,620 --> 00:07:35,319 you can just set the Langfield to any 223 00:07:35,320 --> 00:07:36,639 value which we like. 224 00:07:36,640 --> 00:07:38,439 In this case, if I said the Langfield to 225 00:07:38,440 --> 00:07:41,469 a very huge value, like 060 226 00:07:41,470 --> 00:07:42,470 Zero in this case. 227 00:07:45,100 --> 00:07:46,809 The problem isn't that the index is 228 00:07:46,810 --> 00:07:48,639 declared a sustained integer, and that 229 00:07:48,640 --> 00:07:50,259 means that index can drop down to 230 00:07:50,260 --> 00:07:51,459 negative number. 231 00:07:51,460 --> 00:07:53,559 So I assign a length, a very 232 00:07:53,560 --> 00:07:55,869 huge value index becomes negative, 233 00:07:55,870 --> 00:07:57,459 and that means I can access elements 234 00:07:57,460 --> 00:07:59,529 outside the scope of the array. 235 00:07:59,530 --> 00:08:01,689 And you will see this here 236 00:08:01,690 --> 00:08:03,009 on the next slide. 237 00:08:03,010 --> 00:08:05,409 So if it's something at index zero 238 00:08:05,410 --> 00:08:07,539 in the array, it would come up here 239 00:08:07,540 --> 00:08:09,429 in memory first or something at index 240 00:08:09,430 --> 00:08:10,869 one. It comes here. 241 00:08:10,870 --> 00:08:13,089 You see the disarray here has a capacity 242 00:08:13,090 --> 00:08:14,159 of six elements. 243 00:08:14,160 --> 00:08:15,699 So we can store six elements here. 244 00:08:17,410 --> 00:08:19,749 And if I try to index zero, 245 00:08:19,750 --> 00:08:21,759 it says that this is a lot because six is 246 00:08:21,760 --> 00:08:24,309 smaller than the capacity of the three. 247 00:08:24,310 --> 00:08:26,499 So this is a lot. Another example is 248 00:08:26,500 --> 00:08:28,629 if I try to access the last element, 249 00:08:28,630 --> 00:08:29,799 this is also large. 250 00:08:29,800 --> 00:08:31,569 But if I try to access higher elements, 251 00:08:31,570 --> 00:08:33,699 elements outside the scope of this array, 252 00:08:33,700 --> 00:08:34,700 this is not a lot. 253 00:08:36,159 --> 00:08:38,288 But if I use a negative index, 254 00:08:38,289 --> 00:08:40,298 this would be always a lot because only 255 00:08:40,299 --> 00:08:42,759 the upper boundary is checked. 256 00:08:42,760 --> 00:08:45,039 So I can access elements which are stored 257 00:08:45,040 --> 00:08:46,809 in front of this disarray. 258 00:08:53,240 --> 00:08:55,579 If I look at an array in transcript, 259 00:08:55,580 --> 00:08:57,079 you would end up with this data structure 260 00:08:57,080 --> 00:08:59,239 here. So we have your data 261 00:08:59,240 --> 00:09:01,339 structure and I have different 262 00:09:01,340 --> 00:09:03,649 fields describing disarray. 263 00:09:03,650 --> 00:09:05,659 And as I mentioned, if I start something 264 00:09:05,660 --> 00:09:07,459 at Index zero, it would come here at 265 00:09:07,460 --> 00:09:09,649 index one. It would come to this location 266 00:09:09,650 --> 00:09:11,719 here and every entry consists 267 00:09:11,720 --> 00:09:12,679 of eight bytes. 268 00:09:12,680 --> 00:09:14,869 So the first four parts are used to store 269 00:09:14,870 --> 00:09:16,249 the data entry. 270 00:09:16,250 --> 00:09:18,409 For example, if I store an integer, the 271 00:09:18,410 --> 00:09:20,569 integer value would be stored here. 272 00:09:20,570 --> 00:09:22,639 And the second two parts, 273 00:09:22,640 --> 00:09:25,399 four parts are used to store 274 00:09:25,400 --> 00:09:26,299 the data type. 275 00:09:26,300 --> 00:09:27,889 For example, if it's a string, if it's an 276 00:09:27,890 --> 00:09:30,459 object, if it's an integer and so on, 277 00:09:30,460 --> 00:09:32,539 for if it would be and string, 278 00:09:32,540 --> 00:09:34,639 it would just say here it's a string and 279 00:09:34,640 --> 00:09:36,739 the first four part would be used as 280 00:09:36,740 --> 00:09:38,269 a pointer pointing to a string data 281 00:09:38,270 --> 00:09:39,270 structure. 282 00:09:40,280 --> 00:09:43,249 You also see here that we 283 00:09:43,250 --> 00:09:45,349 this disarray here has a fixed 284 00:09:45,350 --> 00:09:45,769 size. 285 00:09:45,770 --> 00:09:47,359 So, for example, I can just store 10 286 00:09:47,360 --> 00:09:49,459 elements in this case here. 287 00:09:49,460 --> 00:09:51,559 And if I try to add just one more 288 00:09:51,560 --> 00:09:53,509 elements and distant elements, this green 289 00:09:53,510 --> 00:09:55,079 array would be relocated. 290 00:09:55,080 --> 00:09:56,239 This is lottery. 291 00:09:56,240 --> 00:09:57,739 So it would come here to a new memory 292 00:09:57,740 --> 00:09:59,569 location, which is bigger to fulfill the 293 00:09:59,570 --> 00:10:00,919 request. 294 00:10:00,920 --> 00:10:03,169 And then we have a pointer 295 00:10:03,170 --> 00:10:04,999 at this point that's always pointing to 296 00:10:05,000 --> 00:10:07,159 the actual used slots 297 00:10:07,160 --> 00:10:08,959 array. So typically it's pointing to this 298 00:10:08,960 --> 00:10:09,709 location. 299 00:10:09,710 --> 00:10:11,419 But if it's going to be relocated, it 300 00:10:11,420 --> 00:10:13,609 would be pointing to this new 301 00:10:13,610 --> 00:10:14,610 used memory. 302 00:10:16,570 --> 00:10:18,339 And I come to the first attack. 303 00:10:18,340 --> 00:10:20,299 So what I have done is I just relocated 304 00:10:20,300 --> 00:10:22,619 this array to 305 00:10:22,620 --> 00:10:25,329 to a location of the fixed size 512 306 00:10:25,330 --> 00:10:27,399 bytes. And then I just that made many, 307 00:10:27,400 --> 00:10:29,529 many locations of the same size before 308 00:10:29,530 --> 00:10:31,029 making this location. 309 00:10:31,030 --> 00:10:32,919 The pins that have full control over the 310 00:10:32,920 --> 00:10:35,289 memory, which is in front of this lottery 311 00:10:35,290 --> 00:10:36,849 to the blue marked memory here is under 312 00:10:36,850 --> 00:10:38,889 my control and I can send it to anywhere 313 00:10:38,890 --> 00:10:40,989 else, which I like it for now. 314 00:10:40,990 --> 00:10:43,119 Used to Langfield of Cecile's zero 315 00:10:43,120 --> 00:10:45,159 and so on. It would become the negative 316 00:10:45,160 --> 00:10:46,959 index minus one. That means I'm just 317 00:10:46,960 --> 00:10:48,969 accessing working with this memory, which 318 00:10:48,970 --> 00:10:51,039 is under my control, and here I can 319 00:10:51,040 --> 00:10:54,199 just set the data. Type two five 320 00:10:54,200 --> 00:10:56,439 zero zero five zero five 321 00:10:56,440 --> 00:10:58,389 year means it's a string. 322 00:10:58,390 --> 00:11:00,369 That means the first point thirty first, 323 00:11:00,370 --> 00:11:02,259 what is interpreted as 3.0. 324 00:11:03,280 --> 00:11:05,259 I can then just say at this point, 325 00:11:05,260 --> 00:11:07,869 pointing again to my own data here 326 00:11:07,870 --> 00:11:10,029 and there, specify fields 327 00:11:10,030 --> 00:11:12,009 of the string, like the length of the 328 00:11:12,010 --> 00:11:13,839 string or the address of the string. 329 00:11:13,840 --> 00:11:15,669 And I can just say that this address is 330 00:11:15,670 --> 00:11:17,229 pointing to the memory, which I want to 331 00:11:17,230 --> 00:11:19,329 read, because then this code returns me 332 00:11:19,330 --> 00:11:21,309 a string pointer and I can just read from 333 00:11:21,310 --> 00:11:22,329 this string 334 00:11:23,650 --> 00:11:24,459 you see here. 335 00:11:24,460 --> 00:11:26,079 This is the implementation of this court 336 00:11:26,080 --> 00:11:27,080 in script. 337 00:11:28,930 --> 00:11:31,279 You see, this is the Langfield I just 338 00:11:31,280 --> 00:11:33,859 said the dislocation here, the length 339 00:11:33,860 --> 00:11:35,209 then invoked the religious right 340 00:11:35,210 --> 00:11:37,369 functional, give the league function 341 00:11:37,370 --> 00:11:38,899 ascorbic functional. 342 00:11:38,900 --> 00:11:41,269 This is this function here. 343 00:11:41,270 --> 00:11:42,979 Then the current element, which is pass 344 00:11:42,980 --> 00:11:45,139 this argument is the element which is 345 00:11:45,140 --> 00:11:46,629 under my full control. 346 00:11:46,630 --> 00:11:48,709 It just verifies the data type is really 347 00:11:48,710 --> 00:11:50,839 strong. And if it's something I just 348 00:11:50,840 --> 00:11:53,119 said here by the 349 00:11:53,120 --> 00:11:55,219 throw an exception to accept this reduced 350 00:11:55,220 --> 00:11:57,319 function here and just catching 351 00:11:57,320 --> 00:11:59,189 it here and just returning the string, 352 00:11:59,190 --> 00:12:01,279 and I can read from the string the memory 353 00:12:01,280 --> 00:12:02,479 which I want to read. 354 00:12:02,480 --> 00:12:04,579 So I'm not able to read any memory in 355 00:12:04,580 --> 00:12:05,580 this program. 356 00:12:09,120 --> 00:12:10,379 The next step is to get called 357 00:12:10,380 --> 00:12:12,599 executioner, the air can achieve 358 00:12:12,600 --> 00:12:14,519 this by just changing the data from a 359 00:12:14,520 --> 00:12:16,589 string to an object because every 360 00:12:16,590 --> 00:12:18,899 object has at its start applying 361 00:12:18,900 --> 00:12:20,789 to the actual paper. 362 00:12:20,790 --> 00:12:23,189 And inside this virtual people watch 363 00:12:23,190 --> 00:12:25,409 people virtual function pointers 364 00:12:25,410 --> 00:12:26,879 are stored. So if you go a little bit 365 00:12:26,880 --> 00:12:27,880 back. 366 00:12:28,880 --> 00:12:31,129 If the data type of current 367 00:12:31,130 --> 00:12:33,289 would be object, I would invoke this 368 00:12:33,290 --> 00:12:35,459 line here, the type of function of it, 369 00:12:35,460 --> 00:12:36,979 so it would just follow the object 370 00:12:36,980 --> 00:12:39,129 pointer, then followed 371 00:12:39,130 --> 00:12:41,209 the pointer inside this table at 372 00:12:41,210 --> 00:12:43,279 this relative offset from the start 373 00:12:43,280 --> 00:12:45,619 to the so the type of function 374 00:12:45,620 --> 00:12:47,839 pointer and then just invoked this 375 00:12:47,840 --> 00:12:48,840 type of function. 376 00:12:49,880 --> 00:12:51,559 And since I have full control of the 377 00:12:51,560 --> 00:12:53,689 point of the object, I would have full 378 00:12:53,690 --> 00:12:55,699 control over the ultimate pointer. 379 00:12:55,700 --> 00:12:57,049 That means I can just point out that it 380 00:12:57,050 --> 00:12:59,239 point to my own data and can let 381 00:12:59,240 --> 00:13:00,689 the type of function point to my 382 00:13:00,690 --> 00:13:02,000 childhood and executed. 383 00:13:03,240 --> 00:13:05,089 In this case, I've just chosen the set 384 00:13:05,090 --> 00:13:07,279 element function instead because it has 385 00:13:07,280 --> 00:13:09,379 some benefits, which allows me 386 00:13:09,380 --> 00:13:11,809 that the process will not crash after 387 00:13:11,810 --> 00:13:14,179 executing this winnability of tricking 388 00:13:14,180 --> 00:13:15,180 winnability. 389 00:13:16,100 --> 00:13:18,319 So the attack looks like this. 390 00:13:18,320 --> 00:13:20,419 I just change the data type to zero 391 00:13:20,420 --> 00:13:22,249 seven, which is the data type of an 392 00:13:22,250 --> 00:13:24,139 object. That means the first you got to 393 00:13:24,140 --> 00:13:26,629 interpret that as an object pointer. 394 00:13:26,630 --> 00:13:28,099 If at the end follows the majority white 395 00:13:28,100 --> 00:13:29,719 pointer, I come here. 396 00:13:29,720 --> 00:13:31,399 This is the relative offset which is 397 00:13:31,400 --> 00:13:33,619 added inside this virtual table to reach 398 00:13:33,620 --> 00:13:35,719 the set element factor pointer. 399 00:13:35,720 --> 00:13:37,859 And if I invoke dysfunctional, I 400 00:13:37,860 --> 00:13:40,129 can just let it point to my own shoket 401 00:13:40,130 --> 00:13:41,779 and to show good will be executed. 402 00:13:42,950 --> 00:13:45,229 At the end, you see that I have sort 403 00:13:45,230 --> 00:13:47,359 of called C3, which is the code for a 404 00:13:47,360 --> 00:13:49,459 return, so this OP could have just 405 00:13:49,460 --> 00:13:51,379 returned from the set element function 406 00:13:51,380 --> 00:13:52,819 and Firefox would just continue 407 00:13:52,820 --> 00:13:54,590 execution, as would nothing had happened. 408 00:13:55,970 --> 00:13:57,620 The problem is this, is that. 409 00:13:59,240 --> 00:14:00,829 This attack would just work against all 410 00:14:00,830 --> 00:14:03,649 the systems like Windows XP suspect zero, 411 00:14:03,650 --> 00:14:05,509 because the shareholders in this case 412 00:14:05,510 --> 00:14:07,219 thought under heap and because of data 413 00:14:07,220 --> 00:14:08,689 execution prevention, the heap is not 414 00:14:08,690 --> 00:14:10,279 marked as executable. 415 00:14:10,280 --> 00:14:11,479 That means we have for us to have to 416 00:14:11,480 --> 00:14:13,549 somehow this evil data execution 417 00:14:13,550 --> 00:14:16,189 prevention by using a rope chain. 418 00:14:16,190 --> 00:14:18,349 And the problem of the rope chain is that 419 00:14:18,350 --> 00:14:20,599 the next location to the next 420 00:14:20,600 --> 00:14:22,939 address of the instructions is taken 421 00:14:22,940 --> 00:14:23,869 from the location. 422 00:14:23,870 --> 00:14:25,279 A stake point is pointing to. 423 00:14:25,280 --> 00:14:26,280 So from the stake. 424 00:14:27,380 --> 00:14:29,629 And as the name implies, Steck point 425 00:14:29,630 --> 00:14:31,699 to stability, pointing to the attack, but 426 00:14:31,700 --> 00:14:33,709 we don't have control over this location 427 00:14:33,710 --> 00:14:35,809 there, so we cannot place the address 428 00:14:35,810 --> 00:14:37,219 of the next instruction. 429 00:14:37,220 --> 00:14:39,199 We only have control over this red marked 430 00:14:39,200 --> 00:14:40,609 area here on the hip. 431 00:14:40,610 --> 00:14:42,499 And that means that the first half is the 432 00:14:42,500 --> 00:14:45,359 first Gachet have to somehow shift 433 00:14:45,360 --> 00:14:47,509 from the stack to the hip to be 434 00:14:47,510 --> 00:14:49,409 able to control the address of the next 435 00:14:49,410 --> 00:14:50,410 Gachet. 436 00:14:51,050 --> 00:14:53,119 So we have to find one such gadget and 437 00:14:53,120 --> 00:14:54,409 we can do this by looking into the 438 00:14:54,410 --> 00:14:55,759 Firefox's module. 439 00:14:55,760 --> 00:14:57,349 If you have a look here, discordance from 440 00:14:57,350 --> 00:14:59,779 the Firefox's module you see here, 441 00:14:59,780 --> 00:15:01,939 this is a champ operation and this 442 00:15:01,940 --> 00:15:04,609 jump operation started using two bytes. 443 00:15:04,610 --> 00:15:06,679 So the 72 says it's a champ and 444 00:15:06,680 --> 00:15:08,779 C nine would be the relative offset, 445 00:15:08,780 --> 00:15:10,429 which goes upwards because it's bigger 446 00:15:10,430 --> 00:15:11,659 than it is. 447 00:15:11,660 --> 00:15:14,269 And the problem is that using retargeted 448 00:15:14,270 --> 00:15:16,399 programing, we don't have to jump to the 449 00:15:16,400 --> 00:15:18,629 return to the start of this in structure. 450 00:15:18,630 --> 00:15:21,649 You can just return to the middle of it 451 00:15:21,650 --> 00:15:23,929 and really interpret this code 452 00:15:23,930 --> 00:15:25,189 here as a new instructions. 453 00:15:25,190 --> 00:15:27,289 We can build new instructions which are 454 00:15:27,290 --> 00:15:29,059 not there, but just jumping into the 455 00:15:29,060 --> 00:15:31,189 middle of already existing instructions. 456 00:15:31,190 --> 00:15:33,349 So if you look here, if 457 00:15:33,350 --> 00:15:35,629 you just jump to the start of it, C9 458 00:15:35,630 --> 00:15:37,099 would be now interpreted as a leaf 459 00:15:37,100 --> 00:15:37,999 instruction. 460 00:15:38,000 --> 00:15:39,979 And Leaf is exactly doing what I want to 461 00:15:39,980 --> 00:15:41,779 do because it takes the content of the 462 00:15:41,780 --> 00:15:43,519 base point, the biggest and most 463 00:15:43,520 --> 00:15:44,689 enthusiastic pointer. 464 00:15:44,690 --> 00:15:46,219 And the base point is currently pointing 465 00:15:46,220 --> 00:15:48,169 to this red area, which is under my 466 00:15:48,170 --> 00:15:49,170 control. 467 00:15:51,720 --> 00:15:53,909 I have a quick digression about 468 00:15:53,910 --> 00:15:56,339 how to find such propagators 469 00:15:56,340 --> 00:15:57,929 a sink, because they're are quite bad in 470 00:15:57,930 --> 00:15:59,099 time. I just skip this. 471 00:15:59,100 --> 00:16:01,169 You can have a look at it after the talk. 472 00:16:01,170 --> 00:16:03,389 But the basic idea is that making syntax 473 00:16:03,390 --> 00:16:05,280 based searches like this case here, 474 00:16:06,390 --> 00:16:07,469 there are many, many different 475 00:16:07,470 --> 00:16:09,559 possibilities to make the same behavior. 476 00:16:09,560 --> 00:16:11,909 This another instruction and you have to 477 00:16:11,910 --> 00:16:14,459 try out all of them to find one because 478 00:16:14,460 --> 00:16:16,619 they are in the program and this is 479 00:16:16,620 --> 00:16:17,729 very time consuming. 480 00:16:17,730 --> 00:16:19,919 So what I was doing is I was just using 481 00:16:19,920 --> 00:16:22,049 my image to emulate the gadgets 482 00:16:22,050 --> 00:16:24,209 and then start a behavior 483 00:16:24,210 --> 00:16:25,319 based on this gadgets. 484 00:16:25,320 --> 00:16:27,419 So, for example, I just started this 485 00:16:27,420 --> 00:16:29,489 gadget, immolated this 486 00:16:29,490 --> 00:16:30,459 gadget several times. 487 00:16:30,460 --> 00:16:32,249 That's different, starting with business, 488 00:16:32,250 --> 00:16:34,379 and then observe the behavior of it and 489 00:16:34,380 --> 00:16:36,169 start to behave it together with 490 00:16:36,170 --> 00:16:37,709 structured in the database. 491 00:16:37,710 --> 00:16:39,809 And then I can McBee based 492 00:16:39,810 --> 00:16:41,849 searches like Give me old gadgets, which 493 00:16:41,850 --> 00:16:43,589 can be used to set this record store to 494 00:16:43,590 --> 00:16:44,590 zero. 495 00:16:45,960 --> 00:16:49,409 So this greatly reduces the workload. 496 00:16:49,410 --> 00:16:50,999 And I come to the first Šemeta related 497 00:16:51,000 --> 00:16:52,349 chapter. 498 00:16:52,350 --> 00:16:54,419 So if you start and that he would end up 499 00:16:54,420 --> 00:16:56,459 with this user interface on the upper 500 00:16:56,460 --> 00:16:59,019 part, you can contribute 501 00:16:59,020 --> 00:17:01,109 to the operating system that protects 502 00:17:01,110 --> 00:17:02,859 us like data, execution, prevention or 503 00:17:02,860 --> 00:17:05,219 recipe's. Liberalization is the HILDUR 504 00:17:05,220 --> 00:17:07,379 running processes and which are protected 505 00:17:07,380 --> 00:17:08,729 by Emet. 506 00:17:08,730 --> 00:17:10,828 And if you click the button, 507 00:17:10,829 --> 00:17:13,529 you can make fair process configurations. 508 00:17:13,530 --> 00:17:15,358 In this case, I've just enabled all 509 00:17:15,359 --> 00:17:17,499 protections for Firefox 510 00:17:17,500 --> 00:17:20,189 and a now start my Firefox exploit. 511 00:17:20,190 --> 00:17:22,949 You would see that Firefox just crashed 512 00:17:22,950 --> 00:17:25,029 and at the bottom you see that amateur 513 00:17:25,030 --> 00:17:27,059 detective tech is ongoing. 514 00:17:27,060 --> 00:17:28,979 In this case, the tech pivot mitigation 515 00:17:28,980 --> 00:17:30,779 technique detected this attack. 516 00:17:30,780 --> 00:17:32,819 So just remember, for the latest tech 517 00:17:32,820 --> 00:17:34,919 people, communication detected 518 00:17:34,920 --> 00:17:36,119 that an attack is ongoing. 519 00:17:39,510 --> 00:17:41,489 Before making before talking about 520 00:17:41,490 --> 00:17:43,169 different techniques, we have to make 521 00:17:43,170 --> 00:17:45,089 some general considerations. 522 00:17:45,090 --> 00:17:46,739 So what we really want to do is we want 523 00:17:46,740 --> 00:17:49,019 to protect against real world attackers. 524 00:17:49,020 --> 00:17:51,149 So that means we have to think 525 00:17:51,150 --> 00:17:52,859 think like a real world attacker because 526 00:17:52,860 --> 00:17:54,509 they don't want to protect against some 527 00:17:54,510 --> 00:17:56,879 very academic approach as an 528 00:17:56,880 --> 00:17:59,009 academic by those techniques which are 529 00:17:59,010 --> 00:18:00,749 just working against one specific 530 00:18:00,750 --> 00:18:02,219 operating system. 531 00:18:02,220 --> 00:18:04,079 So what are the codes of real world 532 00:18:04,080 --> 00:18:06,359 attackers? They want a bypass technique 533 00:18:06,360 --> 00:18:07,560 which works reliably 534 00:18:09,030 --> 00:18:10,679 against all different kinds of operating 535 00:18:10,680 --> 00:18:13,259 systems. So if 100 536 00:18:13,260 --> 00:18:15,479 victims go to my website, I wanted 100 537 00:18:15,480 --> 00:18:18,529 victims are infected and 538 00:18:18,530 --> 00:18:19,949 it must work against all operating 539 00:18:19,950 --> 00:18:22,319 systems and also suspect levels and 540 00:18:22,320 --> 00:18:23,759 against all amateurishness. 541 00:18:23,760 --> 00:18:25,680 And even if it is or is not there, 542 00:18:27,190 --> 00:18:29,169 another nice thing is that the exploit 543 00:18:29,170 --> 00:18:30,989 should be easy to reuse. 544 00:18:30,990 --> 00:18:33,119 So, for example, if I spent one month 545 00:18:33,120 --> 00:18:35,609 to develop all my father's techniques 546 00:18:35,610 --> 00:18:37,499 for Firefox winnability, I just want to 547 00:18:37,500 --> 00:18:39,399 make copy and paste if I to find out 548 00:18:39,400 --> 00:18:40,799 winnability in Internet Explorer or 549 00:18:40,800 --> 00:18:42,869 something like that, that I don't want 550 00:18:42,870 --> 00:18:44,279 to spend another month to implement 551 00:18:44,280 --> 00:18:45,540 everything from from scratch. 552 00:18:46,710 --> 00:18:48,779 So this last scene brings us to the 553 00:18:48,780 --> 00:18:51,329 idea that we can build everything 554 00:18:51,330 --> 00:18:53,609 on top of Amathila because it works 555 00:18:53,610 --> 00:18:55,739 by injecting its own library 556 00:18:55,740 --> 00:18:57,689 to all protected applications. 557 00:18:57,690 --> 00:19:00,119 And then it just took functions, critical 558 00:19:00,120 --> 00:19:02,169 functions and say, execute my uncle 559 00:19:02,170 --> 00:19:03,749 before invoking dysfunctional. 560 00:19:03,750 --> 00:19:05,699 And if the checks succeed and walk to 561 00:19:05,700 --> 00:19:07,660 function, if not, just terminate 562 00:19:08,730 --> 00:19:10,619 the application before doing anything 563 00:19:10,620 --> 00:19:11,729 else. 564 00:19:11,730 --> 00:19:13,589 And is there anything else, a great 565 00:19:13,590 --> 00:19:15,359 target to build everything on top of it? 566 00:19:15,360 --> 00:19:17,549 Because if you have to bypass Emet, we 567 00:19:17,550 --> 00:19:19,439 know rematerialize over there. 568 00:19:19,440 --> 00:19:21,509 So if you write everything based 569 00:19:21,510 --> 00:19:23,609 on Amathila on Firefox, we know 570 00:19:23,610 --> 00:19:25,409 it's also there if I try to attack a top 571 00:19:25,410 --> 00:19:26,519 reader or something like that. 572 00:19:29,450 --> 00:19:31,489 So the first step is that we find Emmett 573 00:19:31,490 --> 00:19:33,979 Till in memory, other researchers, 574 00:19:33,980 --> 00:19:35,389 for example, the researchers from 575 00:19:35,390 --> 00:19:37,519 Offensive Security, also 576 00:19:37,520 --> 00:19:40,159 found ways to bypass Emmett and 577 00:19:40,160 --> 00:19:42,199 approach from offensive security or to 578 00:19:42,200 --> 00:19:44,419 require the different Emmett Till first 579 00:19:44,420 --> 00:19:46,489 in memory. So I really recommend to 580 00:19:46,490 --> 00:19:48,439 you that you have a look at this great 581 00:19:48,440 --> 00:19:50,569 blog posts of offensive security, 582 00:19:50,570 --> 00:19:52,759 only to talk about their technique. 583 00:19:52,760 --> 00:19:54,709 But what they were doing is they just 584 00:19:54,710 --> 00:19:56,689 assumed that one of the modules is 585 00:19:56,690 --> 00:19:58,999 important to get module handle functional 586 00:19:59,000 --> 00:20:00,499 and then they are just fighting a rope 587 00:20:00,500 --> 00:20:02,359 chain which invokes this function and 588 00:20:02,360 --> 00:20:03,379 give it as argument. 589 00:20:03,380 --> 00:20:05,339 Emmett and dysfunctional just returned 590 00:20:05,340 --> 00:20:06,679 image base of it. 591 00:20:06,680 --> 00:20:08,809 But the problem in this case is that 592 00:20:08,810 --> 00:20:10,729 if the mod if the attack, the application 593 00:20:10,730 --> 00:20:13,339 is not important, dysfunctional, it's 594 00:20:13,340 --> 00:20:14,340 just not apply. 595 00:20:15,170 --> 00:20:16,999 And in addition, it adds additional 596 00:20:17,000 --> 00:20:19,339 dependencies in some cases. 597 00:20:19,340 --> 00:20:21,559 So I tend to develop my own approach. 598 00:20:21,560 --> 00:20:24,019 I call this approach to hook approach. 599 00:20:24,020 --> 00:20:26,239 And it's already mentioned Emmett 600 00:20:26,240 --> 00:20:28,519 works by hooking critical functions. 601 00:20:28,520 --> 00:20:30,349 So some examples for critical functions 602 00:20:30,350 --> 00:20:32,659 are virtual ELAC or virtual protect 603 00:20:32,660 --> 00:20:34,429 because they can be used to disable the 604 00:20:34,430 --> 00:20:35,929 execution prevention. 605 00:20:35,930 --> 00:20:38,029 Other examples are inexact because, of 606 00:20:38,030 --> 00:20:40,789 course you can invoke any program 607 00:20:40,790 --> 00:20:42,799 or load library because you can use it to 608 00:20:42,800 --> 00:20:44,519 load an additional module from a window 609 00:20:44,520 --> 00:20:45,379 share. 610 00:20:45,380 --> 00:20:46,609 So from the attacker share. 611 00:20:48,030 --> 00:20:49,919 And this way, Emmett can implement some 612 00:20:49,920 --> 00:20:51,779 checks before invoking the function like 613 00:20:51,780 --> 00:20:54,029 the detective of mitigation technique, 614 00:20:54,030 --> 00:20:55,829 which we already saw in the picture. 615 00:20:55,830 --> 00:20:58,259 So this defective mitigation technique 616 00:20:58,260 --> 00:21:00,059 just checks if the stick point is 617 00:21:00,060 --> 00:21:01,769 currently pointing to the stack or if it 618 00:21:01,770 --> 00:21:03,509 was shifted away to the hip. 619 00:21:03,510 --> 00:21:05,339 So in our case, we just shifted away. 620 00:21:05,340 --> 00:21:07,499 And that's exactly how Emmett detected 621 00:21:07,500 --> 00:21:08,999 an attack is ongoing here. 622 00:21:11,670 --> 00:21:13,919 To understand the hook approach, we have 623 00:21:13,920 --> 00:21:15,719 to take a look at the implementation of 624 00:21:15,720 --> 00:21:17,829 the virtual protect a function 625 00:21:17,830 --> 00:21:19,679 and how Emma talks this function. 626 00:21:19,680 --> 00:21:21,239 So this is the implementation inside 627 00:21:21,240 --> 00:21:23,599 concert, the tool of virtual protect 628 00:21:23,600 --> 00:21:25,739 you see here, this 629 00:21:25,740 --> 00:21:27,639 implantation is just for execution. 630 00:21:27,640 --> 00:21:29,699 So this is the standard Prolog, which is 631 00:21:29,700 --> 00:21:32,249 all this. There is a blind 632 00:21:32,250 --> 00:21:33,779 trust review. What's the standard analog 633 00:21:33,780 --> 00:21:35,669 here? And then we're just making a jump 634 00:21:35,670 --> 00:21:37,769 to jump into the implementation 635 00:21:37,770 --> 00:21:38,849 of it. 636 00:21:38,850 --> 00:21:40,949 But if we protect now this application 637 00:21:40,950 --> 00:21:43,259 is Emet, it would change 638 00:21:43,260 --> 00:21:45,509 dysfunctional and just places here 639 00:21:45,510 --> 00:21:47,189 a hook. So it would just make. 640 00:21:48,290 --> 00:21:50,419 Replaces the first block with 641 00:21:50,420 --> 00:21:52,729 a jump to its own court and then replaces 642 00:21:52,730 --> 00:21:54,649 a random number of Pieterson the 643 00:21:54,650 --> 00:21:55,650 breakpoint. 644 00:21:56,360 --> 00:21:58,249 And if you follow this jump, the Supreme 645 00:21:58,250 --> 00:22:00,619 Court will come to court, which 646 00:22:00,620 --> 00:22:02,779 was allocated by Emet. 647 00:22:02,780 --> 00:22:04,939 And you see here, it's just 648 00:22:04,940 --> 00:22:07,159 pushing some some arguments sort of stack 649 00:22:07,160 --> 00:22:09,289 and after that to make a final call 650 00:22:09,290 --> 00:22:10,849 into Amytal. 651 00:22:10,850 --> 00:22:12,949 So what the hook approach tries to do 652 00:22:12,950 --> 00:22:15,259 is it just follows follows this first 653 00:22:15,260 --> 00:22:17,449 hook, the first jump until it comes 654 00:22:17,450 --> 00:22:19,339 to dislocation and then just goes 655 00:22:19,340 --> 00:22:21,589 downwards and extracts that 656 00:22:21,590 --> 00:22:24,049 address, which is used as called Target. 657 00:22:25,070 --> 00:22:26,749 And as soon as I have a pointer in a 658 00:22:26,750 --> 00:22:28,459 material, I can just go downward until I 659 00:22:28,460 --> 00:22:29,719 find the beheader. 660 00:22:29,720 --> 00:22:32,809 And then I've extracted the image space 661 00:22:32,810 --> 00:22:35,239 zuheir something other interesting. 662 00:22:35,240 --> 00:22:37,359 It's the third push value. 663 00:22:37,360 --> 00:22:39,439 This value here, this 664 00:22:39,440 --> 00:22:41,599 value points exactly the 665 00:22:41,600 --> 00:22:43,519 dislocation here. 666 00:22:43,520 --> 00:22:45,889 So because Amatus copied 667 00:22:45,890 --> 00:22:47,959 of the old bytes the 668 00:22:47,960 --> 00:22:50,689 old implementation of the function 669 00:22:50,690 --> 00:22:52,559 and replaced them with the hook in court, 670 00:22:52,560 --> 00:22:54,649 and it has to start out by somewhere 671 00:22:54,650 --> 00:22:55,999 in memory. And this is exactly the 672 00:22:56,000 --> 00:22:58,099 location where it was the old bytes. 673 00:22:58,100 --> 00:23:00,289 This will be important in at the later 674 00:23:00,290 --> 00:23:01,760 moment. So just remember it. 675 00:23:03,550 --> 00:23:04,779 So this is a summary of the hook 676 00:23:04,780 --> 00:23:07,249 approach, I'm just resolving to 677 00:23:07,250 --> 00:23:09,189 the input address table entry of one of 678 00:23:09,190 --> 00:23:11,349 the critical functions, then I can just 679 00:23:11,350 --> 00:23:12,909 read the first five bytes. 680 00:23:12,910 --> 00:23:15,189 If it's a move, if it's a move 681 00:23:15,190 --> 00:23:17,139 in structure, I know that it's not there 682 00:23:17,140 --> 00:23:18,729 because this function is not hooked. 683 00:23:18,730 --> 00:23:20,139 That means I can just wander, explode 684 00:23:20,140 --> 00:23:21,729 without any input purposes. 685 00:23:21,730 --> 00:23:23,369 And if it's a chomper, just follow this 686 00:23:23,370 --> 00:23:25,659 jump until I find that image space. 687 00:23:25,660 --> 00:23:28,149 And yeah, then I'm done 688 00:23:28,150 --> 00:23:29,559 here. This is a rope chain which 689 00:23:29,560 --> 00:23:31,629 implements this quick 690 00:23:31,630 --> 00:23:33,519 question. Who have you already written a 691 00:23:33,520 --> 00:23:35,859 rope chain? Just raise your hand. 692 00:23:35,860 --> 00:23:37,929 OK, I just go 693 00:23:37,930 --> 00:23:39,849 over very quickly over the first three 694 00:23:39,850 --> 00:23:42,189 lines and that everyone 695 00:23:42,190 --> 00:23:45,009 everyone knows what's going on here. 696 00:23:45,010 --> 00:23:46,209 So this is the address 697 00:23:47,350 --> 00:23:49,389 which I write to the stakeholders. 698 00:23:49,390 --> 00:23:51,279 This addresses are overwrites, the return 699 00:23:51,280 --> 00:23:52,239 address. 700 00:23:52,240 --> 00:23:54,309 And at this address, these 701 00:23:54,310 --> 00:23:56,349 assemblance structures are stored. 702 00:23:56,350 --> 00:23:58,419 So it would basically just 703 00:23:58,420 --> 00:24:00,789 start executing disassembling structures. 704 00:24:00,790 --> 00:24:03,459 It would execute a year 705 00:24:03,460 --> 00:24:05,469 because the stack pointer is currently 706 00:24:05,470 --> 00:24:06,759 pointing to this location. 707 00:24:06,760 --> 00:24:08,859 It would just take this value here 708 00:24:08,860 --> 00:24:11,409 and pop this value into the UK's register 709 00:24:12,790 --> 00:24:14,589 and then start executing the next line, 710 00:24:14,590 --> 00:24:16,179 which is this line here. 711 00:24:16,180 --> 00:24:17,500 It would just make a move. 712 00:24:18,580 --> 00:24:20,919 That means I just popped the 713 00:24:20,920 --> 00:24:23,169 pointer to the virtual ELAC input 714 00:24:23,170 --> 00:24:25,269 address table entry into X, and with 715 00:24:25,270 --> 00:24:26,949 this line I'm just resolving the input 716 00:24:26,950 --> 00:24:28,389 address table entry. 717 00:24:28,390 --> 00:24:30,639 And the next line would just move 718 00:24:30,640 --> 00:24:32,799 this content from the X register into 719 00:24:32,800 --> 00:24:34,989 the idea register using some 720 00:24:34,990 --> 00:24:36,889 push and pop because there was no move 721 00:24:36,890 --> 00:24:38,979 instruction and so on that would just 722 00:24:38,980 --> 00:24:40,240 continue doing the stuff 723 00:24:41,560 --> 00:24:43,419 that you see here that I have used 724 00:24:43,420 --> 00:24:45,339 hardcoded values based on the Emet 725 00:24:45,340 --> 00:24:45,969 version. 726 00:24:45,970 --> 00:24:47,409 So, for example, if it's Emet for that 727 00:24:47,410 --> 00:24:49,509 one, I need to use this offset and 728 00:24:49,510 --> 00:24:52,509 for a 5.0, I need to use this 729 00:24:52,510 --> 00:24:53,799 disvalue. 730 00:24:53,800 --> 00:24:55,599 And the problem is that currently I don't 731 00:24:55,600 --> 00:24:57,609 really know which version is there. 732 00:24:57,610 --> 00:24:59,139 So this approach is very bad. 733 00:24:59,140 --> 00:25:00,999 So it would just work against against one 734 00:25:01,000 --> 00:25:03,099 specific Emet version, 735 00:25:03,100 --> 00:25:05,109 which is not what we like. 736 00:25:05,110 --> 00:25:07,659 If I try to target a local application 737 00:25:07,660 --> 00:25:09,339 like a video application or something 738 00:25:09,340 --> 00:25:10,869 like that, I really have to write a 739 00:25:10,870 --> 00:25:12,939 better option. But this is very, very 740 00:25:12,940 --> 00:25:15,219 complex because then I have to make 741 00:25:15,220 --> 00:25:17,349 additional jumps inside chain and 742 00:25:17,350 --> 00:25:19,779 this increases the size a lot. 743 00:25:19,780 --> 00:25:21,939 But if you are dealing with a proposal 744 00:25:21,940 --> 00:25:24,729 like winnability, you can 745 00:25:24,730 --> 00:25:26,229 apply this advanced country use 746 00:25:26,230 --> 00:25:27,230 technique. 747 00:25:29,720 --> 00:25:31,609 Basically, the idea of returning to the 748 00:25:31,610 --> 00:25:33,839 program is that we reduce or abuse 749 00:25:33,840 --> 00:25:36,139 over existing code in the program, but 750 00:25:36,140 --> 00:25:38,089 if you are taking a Proserpina every day 751 00:25:38,090 --> 00:25:39,379 or something like that, we know that 752 00:25:39,380 --> 00:25:42,169 there must be court related to handle 753 00:25:42,170 --> 00:25:44,119 data structures in Talisker, for example, 754 00:25:44,120 --> 00:25:45,409 to handle strings. 755 00:25:45,410 --> 00:25:47,299 And the idea is not that we can just use 756 00:25:47,300 --> 00:25:49,909 a rock chain or the ability 757 00:25:49,910 --> 00:25:51,949 to manipulate these data structures. 758 00:25:51,950 --> 00:25:53,569 So, for example, we can just say that the 759 00:25:53,570 --> 00:25:56,539 string is not pointing to a new location 760 00:25:56,540 --> 00:25:58,159 and then return to Charley's script and 761 00:25:58,160 --> 00:25:59,839 implement everything in a script. 762 00:26:01,100 --> 00:26:02,809 I later found out that this approach was 763 00:26:02,810 --> 00:26:05,029 already public 764 00:26:05,030 --> 00:26:07,339 or discussed by Younggu 765 00:26:07,340 --> 00:26:08,369 this year. 766 00:26:08,370 --> 00:26:10,489 So have a look at this great talk if you 767 00:26:10,490 --> 00:26:11,900 want to find out more about this. 768 00:26:13,190 --> 00:26:15,679 Here are some examples of first examples 769 00:26:15,680 --> 00:26:17,659 that you can just manipulate the string. 770 00:26:17,660 --> 00:26:18,919 And let's say that the string is not 771 00:26:18,920 --> 00:26:20,449 pointing to the hook in code and they can 772 00:26:20,450 --> 00:26:22,429 implement the complete parsing inside 773 00:26:22,430 --> 00:26:23,569 JavaScript. 774 00:26:23,570 --> 00:26:25,519 Another very nice example is the third 775 00:26:25,520 --> 00:26:26,520 example here. 776 00:26:28,190 --> 00:26:29,749 In this example, we can just say that the 777 00:26:29,750 --> 00:26:31,849 string starts at the code section of any 778 00:26:31,850 --> 00:26:33,979 load of modules, for example, Amathila, 779 00:26:33,980 --> 00:26:35,199 the Langfield, etc. 780 00:26:35,200 --> 00:26:37,129 the length of this code section. 781 00:26:37,130 --> 00:26:39,439 Then we can use functions such functions 782 00:26:39,440 --> 00:26:41,689 like index off to search inside this code 783 00:26:41,690 --> 00:26:43,999 section to dynamically find 784 00:26:44,000 --> 00:26:45,949 charts. So we dynamically find the 785 00:26:45,950 --> 00:26:48,049 relative offset for this captured 786 00:26:48,050 --> 00:26:49,819 so we can save. 787 00:26:49,820 --> 00:26:52,099 Tell me the location where I can find 788 00:26:52,100 --> 00:26:54,349 a pop up return and structure 789 00:26:54,350 --> 00:26:56,089 and that means I can just write my 790 00:26:56,090 --> 00:26:59,029 exploit, for example, at 5.1 791 00:26:59,030 --> 00:27:01,369 and if Microsoft later releases 792 00:27:01,370 --> 00:27:03,169 M at four, five to two or something like 793 00:27:03,170 --> 00:27:05,539 that, it would just 794 00:27:05,540 --> 00:27:07,729 keep working because I could find 795 00:27:07,730 --> 00:27:08,730 everything. 796 00:27:10,020 --> 00:27:12,089 So using this technique, I can write 797 00:27:12,090 --> 00:27:13,170 very reliable code 798 00:27:14,270 --> 00:27:16,649 here. This is an implementation in such 799 00:27:16,650 --> 00:27:18,479 a script, so I'm just calling this 800 00:27:18,480 --> 00:27:20,699 arbitrarily kibbitz function, 801 00:27:20,700 --> 00:27:23,609 which retransmit a string 802 00:27:23,610 --> 00:27:25,139 from the address of the virtual lock 803 00:27:25,140 --> 00:27:27,299 function. And then I can just use 804 00:27:27,300 --> 00:27:29,519 excessive Turbit's and say, yeah, if 805 00:27:29,520 --> 00:27:32,099 it's a moving structure, just 806 00:27:32,100 --> 00:27:33,819 the right exploit without any input 807 00:27:33,820 --> 00:27:36,149 purposes and if it's a Trump instruction. 808 00:27:36,150 --> 00:27:38,219 I know. Am it there to just follow 809 00:27:38,220 --> 00:27:39,839 this chump. 810 00:27:39,840 --> 00:27:42,299 And just iterate and find 811 00:27:42,300 --> 00:27:44,579 the instructions, so it would be the code 812 00:27:44,580 --> 00:27:45,839 of the current structure. 813 00:27:45,840 --> 00:27:47,549 I'm just looping until I find this call 814 00:27:47,550 --> 00:27:49,679 instruction structure and then say, yeah, 815 00:27:49,680 --> 00:27:51,359 if it's this code, it's a Suppan 816 00:27:51,360 --> 00:27:53,969 structure. That means the size of 817 00:27:53,970 --> 00:27:56,099 just skipped through parts if it's a 818 00:27:56,100 --> 00:27:58,319 push and structure at five parts 819 00:27:58,320 --> 00:28:00,109 and so on, until I find the code and 820 00:28:00,110 --> 00:28:02,219 structure and as soon as I have found 821 00:28:02,220 --> 00:28:04,349 the current structure, I can read the 822 00:28:04,350 --> 00:28:05,699 header. 823 00:28:05,700 --> 00:28:07,739 And in this case I'm just reading the 824 00:28:07,740 --> 00:28:09,989 check Sonfield and the Time Standfield. 825 00:28:09,990 --> 00:28:12,329 And based on these values, I can identify 826 00:28:12,330 --> 00:28:15,089 which version of this they are set 827 00:28:15,090 --> 00:28:17,159 and I know which version of this there 828 00:28:17,160 --> 00:28:18,299 and the image base of it. 829 00:28:22,720 --> 00:28:24,419 And I'll come to the different 830 00:28:24,420 --> 00:28:25,420 protector's. 831 00:28:27,400 --> 00:28:29,619 As already mentioned, it 832 00:28:29,620 --> 00:28:31,689 contains five different alternative 833 00:28:31,690 --> 00:28:33,819 agreement protections, and if you want to 834 00:28:33,820 --> 00:28:35,499 bypass these protections, we have three 835 00:28:35,500 --> 00:28:37,569 different possibilities, three different 836 00:28:37,570 --> 00:28:38,889 approaches. 837 00:28:38,890 --> 00:28:40,329 The first approaches that we can just 838 00:28:40,330 --> 00:28:42,429 bypass each protection separately. 839 00:28:42,430 --> 00:28:44,409 So this is described in this paper by 840 00:28:44,410 --> 00:28:46,539 Todd DeMott gives a great 841 00:28:46,540 --> 00:28:48,249 overview about it. 842 00:28:48,250 --> 00:28:50,409 Another idea is that we can 843 00:28:50,410 --> 00:28:52,239 use the tricks developed by offensive 844 00:28:52,240 --> 00:28:54,429 security. So what they were doing 845 00:28:54,430 --> 00:28:56,679 is they just reversed Amathila and found 846 00:28:56,680 --> 00:28:57,979 out that there is a global flag and 847 00:28:57,980 --> 00:29:00,009 difference. Laws like a set of forwards 848 00:29:00,010 --> 00:29:02,229 or protections are just disabled. 849 00:29:02,230 --> 00:29:04,109 So what they are doing is to trust a 850 00:29:04,110 --> 00:29:06,759 rather shorter chain which disables 851 00:29:06,760 --> 00:29:07,990 serious artist flag 852 00:29:09,190 --> 00:29:10,119 and recommendatory. 853 00:29:10,120 --> 00:29:12,309 My talks that Microsoft moves 854 00:29:12,310 --> 00:29:14,709 this flag to a read-only location because 855 00:29:14,710 --> 00:29:16,329 if it's read only, they cannot override 856 00:29:16,330 --> 00:29:17,379 it. 857 00:29:17,380 --> 00:29:19,449 But Microsoft has chosen 858 00:29:19,450 --> 00:29:21,819 another approach with a 5.0. 859 00:29:21,820 --> 00:29:23,619 They just include it to point to the 860 00:29:23,620 --> 00:29:25,839 flag. But the problem is that recording 861 00:29:25,840 --> 00:29:27,309 at this point is quite easy inside the 862 00:29:27,310 --> 00:29:29,199 rope chain. So in the second blog post 863 00:29:29,200 --> 00:29:32,049 from Offensive Security, they 864 00:29:32,050 --> 00:29:33,759 used this approach. They just caught the 865 00:29:33,760 --> 00:29:36,819 pointer and just apply the same technique 866 00:29:36,820 --> 00:29:38,649 is the release of five to one. 867 00:29:38,650 --> 00:29:40,869 Microsoft fixed it by using 868 00:29:40,870 --> 00:29:42,999 a redounded section, as I mentioned. 869 00:29:44,200 --> 00:29:46,269 But the problem now 870 00:29:46,270 --> 00:29:48,339 is that there's a third trick. 871 00:29:48,340 --> 00:29:50,319 So there's another trick which can be 872 00:29:50,320 --> 00:29:51,879 used to bypass Emet. 873 00:29:51,880 --> 00:29:53,949 A lot of sense of security is now doing 874 00:29:53,950 --> 00:29:56,349 is they're just using you to sort trick 875 00:29:56,350 --> 00:29:57,549 to make the S.A. 876 00:29:57,550 --> 00:29:59,199 This the only section of. 877 00:29:59,200 --> 00:30:00,339 Right. They block anything. 878 00:30:00,340 --> 00:30:01,929 They can just apply the same trick by 879 00:30:01,930 --> 00:30:03,519 overwriting this flag. 880 00:30:03,520 --> 00:30:05,409 So as soon as this trick is not patched 881 00:30:05,410 --> 00:30:07,629 by Microsoft, it's just possible applied 882 00:30:07,630 --> 00:30:08,739 again and again. 883 00:30:08,740 --> 00:30:10,899 But as soon as they would fix this, 884 00:30:10,900 --> 00:30:12,489 this is a trick. 885 00:30:12,490 --> 00:30:14,319 It would really require us that we bypass 886 00:30:14,320 --> 00:30:16,119 each protection separately, which really 887 00:30:16,120 --> 00:30:17,979 puts a higher workload on the attacker. 888 00:30:19,090 --> 00:30:21,129 This approach was developed by myself 889 00:30:21,130 --> 00:30:23,499 during my research, but I think 890 00:30:24,640 --> 00:30:26,409 about the same time offensive security 891 00:30:26,410 --> 00:30:28,539 also fantastic because it's 892 00:30:28,540 --> 00:30:29,799 quite easy to find. 893 00:30:29,800 --> 00:30:31,479 And here's the idea that you can just 894 00:30:31,480 --> 00:30:33,579 make Darroch system codes because I'm 895 00:30:33,580 --> 00:30:35,169 completely in userspace. 896 00:30:35,170 --> 00:30:36,699 And if you just make a code directly to 897 00:30:36,700 --> 00:30:38,799 the kernel and it has no way to to 898 00:30:38,800 --> 00:30:41,679 somehow get in between of this and just 899 00:30:41,680 --> 00:30:43,150 see that an attack is ongoing 900 00:30:44,740 --> 00:30:46,609 and not talk about the different 901 00:30:46,610 --> 00:30:48,069 protections separately and how we can 902 00:30:48,070 --> 00:30:48,639 bypass them. 903 00:30:48,640 --> 00:30:50,559 And at the end, I just talk a little bit 904 00:30:50,560 --> 00:30:51,560 about the tricks. 905 00:30:52,910 --> 00:30:55,029 Labor is the first protector and 906 00:30:55,030 --> 00:30:57,099 to use the idea that emptiness. 907 00:30:58,470 --> 00:30:59,939 They're taken from loading additional 908 00:30:59,940 --> 00:31:02,099 modules from windowsills, 909 00:31:02,100 --> 00:31:04,199 and I didn't really had to purchase 910 00:31:04,200 --> 00:31:05,879 this one because I'm not loading any 911 00:31:05,880 --> 00:31:07,839 additional modules from the shelves, but 912 00:31:07,840 --> 00:31:09,389 it can have a look at this, bypassing all 913 00:31:09,390 --> 00:31:12,089 of the things talked by Aroon Portnoy 914 00:31:12,090 --> 00:31:13,169 if you want to see a bypass. 915 00:31:13,170 --> 00:31:15,149 But I think this was just working for a 916 00:31:15,150 --> 00:31:16,229 three to five. 917 00:31:16,230 --> 00:31:18,299 But, yeah, finding a way 918 00:31:18,300 --> 00:31:20,669 around this would not be too hard. 919 00:31:20,670 --> 00:31:22,859 And protection is the main protective 920 00:31:22,860 --> 00:31:23,939 protector. 921 00:31:23,940 --> 00:31:26,039 Here is the idea that functions 922 00:31:26,040 --> 00:31:28,109 like Protect and virtual ELAC 923 00:31:28,110 --> 00:31:29,609 are prevented from making the stack 924 00:31:29,610 --> 00:31:31,349 executable because the stack should 925 00:31:31,350 --> 00:31:34,349 never, ever contain executable code. 926 00:31:34,350 --> 00:31:36,629 And you can easily be bypassed 927 00:31:36,630 --> 00:31:38,279 this one. But just making any other 928 00:31:38,280 --> 00:31:39,779 location executable. 929 00:31:39,780 --> 00:31:41,099 For example, the heap. 930 00:31:41,100 --> 00:31:42,859 But this requires that we modify the 931 00:31:42,860 --> 00:31:45,239 chain. So typically we are quite lazy. 932 00:31:45,240 --> 00:31:47,219 We just use a tool such as more not to 933 00:31:47,220 --> 00:31:48,539 generate the rope chain. 934 00:31:48,540 --> 00:31:50,489 Since this case is dropped in which this 935 00:31:50,490 --> 00:31:52,709 evil deeds, execution, prevention 936 00:31:52,710 --> 00:31:55,319 and this was generated using Moonah, 937 00:31:55,320 --> 00:31:57,419 that important factor is that push 938 00:31:57,420 --> 00:31:59,489 it. The instructions used to invoked 939 00:31:59,490 --> 00:32:01,949 us to virtually lock function 940 00:32:01,950 --> 00:32:03,569 and this would also push the arguments to 941 00:32:03,570 --> 00:32:05,339 the stack. And that means that don't have 942 00:32:05,340 --> 00:32:07,139 control over these arguments. 943 00:32:07,140 --> 00:32:09,609 So I'll have developed my own rope chain. 944 00:32:09,610 --> 00:32:11,849 In this case, I'm using 945 00:32:11,850 --> 00:32:13,289 a push and structure to invoke the 946 00:32:13,290 --> 00:32:15,209 function. That means I have full control 947 00:32:15,210 --> 00:32:16,979 over all the arguments and can just say 948 00:32:16,980 --> 00:32:18,539 that the address, the target address is 949 00:32:18,540 --> 00:32:20,369 not pointing to the heap instead. 950 00:32:21,690 --> 00:32:23,259 I come to disrupt, you know, a little bit 951 00:32:23,260 --> 00:32:25,399 later, the step 952 00:32:25,400 --> 00:32:27,219 up mitigation technique was already 953 00:32:27,220 --> 00:32:29,319 mentioned, used the idea 954 00:32:29,320 --> 00:32:31,989 that that just verifies 955 00:32:31,990 --> 00:32:34,059 if the participants got a stake and was 956 00:32:34,060 --> 00:32:36,109 not shifted away, because in my case, I 957 00:32:36,110 --> 00:32:38,409 just had shifted away to the hip 958 00:32:38,410 --> 00:32:39,529 to bypass this. 959 00:32:39,530 --> 00:32:41,799 You can just copy 960 00:32:41,800 --> 00:32:44,139 everything from the hip back to the stack 961 00:32:44,140 --> 00:32:46,839 before invoking the critical function 962 00:32:46,840 --> 00:32:48,309 you see here. This is the code to do 963 00:32:48,310 --> 00:32:50,139 this. It's not very interesting. 964 00:32:50,140 --> 00:32:51,639 Just in a while loop. I'm just copying 965 00:32:51,640 --> 00:32:54,069 everything there and using an exchange. 966 00:32:54,070 --> 00:32:56,229 I just go from the 967 00:32:56,230 --> 00:32:57,230 hip to the static. 968 00:33:00,030 --> 00:33:01,529 The current mitigation technique is a 969 00:33:01,530 --> 00:33:03,599 very interesting one, because we have 970 00:33:03,600 --> 00:33:05,429 three different possibilities to invoke a 971 00:33:05,430 --> 00:33:07,499 function. So first of all, we can 972 00:33:07,500 --> 00:33:10,169 call a function. This is the valid case, 973 00:33:10,170 --> 00:33:11,939 but you can also jump to the start of the 974 00:33:11,940 --> 00:33:14,069 function or we can make 975 00:33:14,070 --> 00:33:16,529 a fake function return so we can push 976 00:33:16,530 --> 00:33:18,959 the function address and push the return 977 00:33:18,960 --> 00:33:21,419 address and directly making a return. 978 00:33:21,420 --> 00:33:23,729 That means it just jumps to this address 979 00:33:23,730 --> 00:33:24,629 here. 980 00:33:24,630 --> 00:33:27,419 And if you apply return to programing, 981 00:33:27,420 --> 00:33:29,549 the typically are using this approach 982 00:33:29,550 --> 00:33:30,299 here. 983 00:33:30,300 --> 00:33:32,669 And what Emily's not doing is 984 00:33:32,670 --> 00:33:35,009 if we make the valid case, the last one, 985 00:33:35,010 --> 00:33:37,199 if you call a function, the structure 986 00:33:37,200 --> 00:33:38,699 would push the return address. 987 00:33:38,700 --> 00:33:40,649 So it would push the address of the next 988 00:33:40,650 --> 00:33:43,019 instructions, this address here 989 00:33:43,020 --> 00:33:46,319 to the stack and contend with this 990 00:33:46,320 --> 00:33:48,629 this return address and just go backward 991 00:33:48,630 --> 00:33:50,159 and check if there's really a call to 992 00:33:50,160 --> 00:33:51,629 this function there. 993 00:33:51,630 --> 00:33:53,129 So this is what it is doing. 994 00:33:53,130 --> 00:33:54,749 And if you are doing, you're the second 995 00:33:54,750 --> 00:33:55,979 or third approach. 996 00:33:55,980 --> 00:33:57,839 There would be no such return address 997 00:33:57,840 --> 00:34:00,119 there. And that's how Šemeta Texas 998 00:34:00,120 --> 00:34:02,369 attack and we can pass this 999 00:34:02,370 --> 00:34:04,499 one. But just returning instead of 1000 00:34:04,500 --> 00:34:06,059 returning directly to the fact we can 1001 00:34:06,060 --> 00:34:08,339 return to a call of the function. 1002 00:34:08,340 --> 00:34:09,340 So. 1003 00:34:10,780 --> 00:34:13,089 This approach was developed 1004 00:34:13,090 --> 00:34:15,189 by Chad DeMott and he was using 1005 00:34:15,190 --> 00:34:16,569 this gadget here. 1006 00:34:16,570 --> 00:34:18,738 So instead of directly returning to 1007 00:34:18,739 --> 00:34:21,019 virtual ELAC, we return 1008 00:34:21,020 --> 00:34:23,079 to the start of this call here 1009 00:34:23,080 --> 00:34:24,488 to this location here. 1010 00:34:24,489 --> 00:34:26,769 So if it now goes back, what it would so 1011 00:34:26,770 --> 00:34:28,479 the return address would be this one 1012 00:34:28,480 --> 00:34:30,759 here. So it would just go here, Pequod 1013 00:34:30,760 --> 00:34:32,559 five bytes and check if this is a call 1014 00:34:32,560 --> 00:34:34,869 and say this is fine and the 1015 00:34:34,870 --> 00:34:36,399 protection is bypassed. 1016 00:34:36,400 --> 00:34:38,678 But I see some problems with this sketch 1017 00:34:38,679 --> 00:34:41,948 at here. So first of all, it addresses 1018 00:34:41,949 --> 00:34:43,448 if you have a look at the addresses, you 1019 00:34:43,449 --> 00:34:46,029 see that from a Windows library. 1020 00:34:46,030 --> 00:34:47,709 That means it would just work against one 1021 00:34:47,710 --> 00:34:49,849 specific operating system, 1022 00:34:49,850 --> 00:34:51,999 against one specific suspect level, 1023 00:34:52,000 --> 00:34:54,229 which is bad because we cannot 1024 00:34:54,230 --> 00:34:56,468 detect any other operating system in D.C. 1025 00:34:56,469 --> 00:34:58,839 here that are many, many references 1026 00:34:58,840 --> 00:35:00,819 there, which can maybe lead to a 1027 00:35:00,820 --> 00:35:02,199 segmentation fault. 1028 00:35:02,200 --> 00:35:04,449 So this is quite bad because it's this 1029 00:35:04,450 --> 00:35:06,669 core to actually look is quite far away 1030 00:35:06,670 --> 00:35:08,649 from the from the return. 1031 00:35:08,650 --> 00:35:11,139 So I was using instead is a gadget 1032 00:35:11,140 --> 00:35:12,789 inside a Magilla. 1033 00:35:12,790 --> 00:35:14,859 And you see here, it's again a 1034 00:35:14,860 --> 00:35:16,749 code of virtual product. 1035 00:35:16,750 --> 00:35:19,089 And you have just one memory reference 1036 00:35:19,090 --> 00:35:20,529 here. But I can assure that this is not 1037 00:35:20,530 --> 00:35:21,999 crashing after that. 1038 00:35:22,000 --> 00:35:23,979 Just to compare and just take this chart, 1039 00:35:23,980 --> 00:35:25,899 which leads to a return to return would 1040 00:35:25,900 --> 00:35:27,150 go to the next Gachet. 1041 00:35:29,320 --> 00:35:31,629 But what to do if there's 1042 00:35:31,630 --> 00:35:33,429 no such question at all, which is very 1043 00:35:33,430 --> 00:35:35,529 near to return and what we can 1044 00:35:35,530 --> 00:35:37,539 do is we can just use any call to any 1045 00:35:37,540 --> 00:35:40,179 request. So in my rope chain, 1046 00:35:40,180 --> 00:35:42,039 I feel my push. 1047 00:35:42,040 --> 00:35:43,949 This is making to the code, to the 1048 00:35:43,950 --> 00:35:45,969 function and this just. 1049 00:35:47,200 --> 00:35:49,509 Invokes this quote here, 1050 00:35:49,510 --> 00:35:51,729 so I'm making here a call to aid 1051 00:35:51,730 --> 00:35:53,739 and trust and trust that it is pointing 1052 00:35:53,740 --> 00:35:55,659 to the target function, which I want. 1053 00:35:55,660 --> 00:35:57,729 So you see here, 1054 00:35:57,730 --> 00:35:58,749 I'm just popping. 1055 00:35:58,750 --> 00:36:01,029 Yikes. That means the next is popped into 1056 00:36:01,030 --> 00:36:03,189 it. This is the address of the 1057 00:36:03,190 --> 00:36:05,499 ELAC address, table entry. 1058 00:36:05,500 --> 00:36:07,209 This line just resolves it. 1059 00:36:07,210 --> 00:36:09,339 And the exchange I'm just moving the 1060 00:36:09,340 --> 00:36:11,709 value into either just ensuring 1061 00:36:11,710 --> 00:36:14,439 that ID is pointing to this location 1062 00:36:14,440 --> 00:36:16,779 as I see it here, that it is currently 1063 00:36:16,780 --> 00:36:17,949 pointing to virtual ELAC. 1064 00:36:19,450 --> 00:36:21,369 And after that, there's just a chance. 1065 00:36:21,370 --> 00:36:23,499 This cannot lead to a segmentation fault. 1066 00:36:23,500 --> 00:36:25,359 And then I just take this chump discourse 1067 00:36:25,360 --> 00:36:26,289 here. 1068 00:36:26,290 --> 00:36:28,359 And no reference at all 1069 00:36:28,360 --> 00:36:29,739 to this, cannot Kresh. 1070 00:36:32,700 --> 00:36:34,949 The last straw protectionism flow, 1071 00:36:34,950 --> 00:36:37,019 and it just brings the idea of this 1072 00:36:37,020 --> 00:36:39,179 cold mitigation technique, it 1073 00:36:39,180 --> 00:36:41,729 just applies to this technique 1074 00:36:41,730 --> 00:36:43,499 for return addresses and the stakes are 1075 00:36:43,500 --> 00:36:45,359 just simulates execution forward and 1076 00:36:45,360 --> 00:36:46,889 applying this technique again and again 1077 00:36:46,890 --> 00:36:48,449 for our return addresses. 1078 00:36:48,450 --> 00:36:51,649 But if you Pybus call mitigation, 1079 00:36:51,650 --> 00:36:53,519 these protections also Pybus at the same 1080 00:36:53,520 --> 00:36:55,649 time during a later 1081 00:36:55,650 --> 00:36:57,929 stage of an execute. 1082 00:36:57,930 --> 00:36:59,909 Could this mitigation technique also 1083 00:36:59,910 --> 00:37:02,189 triggers? Because of my childhood and 1084 00:37:02,190 --> 00:37:03,659 I don't find out that I can just make a 1085 00:37:03,660 --> 00:37:05,729 call to itself, sow discord here just 1086 00:37:05,730 --> 00:37:08,489 cause the pop instruction and then I pop 1087 00:37:08,490 --> 00:37:09,810 the push to return address. 1088 00:37:11,010 --> 00:37:12,809 So this court is expected to do nothing 1089 00:37:12,810 --> 00:37:15,089 but just confusing the simulation of the 1090 00:37:15,090 --> 00:37:17,279 default simulation so 1091 00:37:17,280 --> 00:37:18,929 this can be used to sort of bypass this 1092 00:37:18,930 --> 00:37:19,939 protective mechanism. 1093 00:37:23,820 --> 00:37:25,769 And I'll come to the trick, which can be 1094 00:37:25,770 --> 00:37:28,619 used to bypass all these protections 1095 00:37:28,620 --> 00:37:30,749 at one at one 1096 00:37:30,750 --> 00:37:32,939 time and use the idea that I can 1097 00:37:32,940 --> 00:37:35,219 just make direct system codes because 1098 00:37:35,220 --> 00:37:37,079 it is completely userspace, you can just 1099 00:37:37,080 --> 00:37:38,649 check yourself and functions. 1100 00:37:38,650 --> 00:37:40,139 And if I make that clear, call to the 1101 00:37:40,140 --> 00:37:42,299 colonel and it has no possibility to 1102 00:37:42,300 --> 00:37:44,099 intercept a score. 1103 00:37:44,100 --> 00:37:46,289 And the problem is that Hotfooting 1104 00:37:46,290 --> 00:37:48,479 system code numbers is bad because 1105 00:37:48,480 --> 00:37:50,129 from one operating system or from one 1106 00:37:50,130 --> 00:37:52,579 suspect level, the system must change. 1107 00:37:52,580 --> 00:37:54,509 So I cannot hardcourt these values. 1108 00:37:54,510 --> 00:37:56,219 So one approach could be that A, the 1109 00:37:56,220 --> 00:37:58,569 option which first identifies the 1110 00:37:58,570 --> 00:38:00,719 the reaction of the operating 1111 00:38:00,720 --> 00:38:02,579 system at the suspect level and then just 1112 00:38:02,580 --> 00:38:04,529 many hard core values for all different 1113 00:38:04,530 --> 00:38:06,209 kinds of operating systems. 1114 00:38:06,210 --> 00:38:08,519 But we have something better. 1115 00:38:08,520 --> 00:38:10,419 If you have, again, a local networks, a 1116 00:38:10,420 --> 00:38:12,659 function is this 1117 00:38:12,660 --> 00:38:14,639 one here? This is the implementation 1118 00:38:14,640 --> 00:38:16,019 insight into delay. 1119 00:38:16,020 --> 00:38:18,329 So if I invoked a virtual product 1120 00:38:18,330 --> 00:38:19,829 functional, it would call the 1121 00:38:19,830 --> 00:38:22,199 implementation of it inside Concerta to 1122 00:38:22,200 --> 00:38:23,849 this would just forward the execution to 1123 00:38:23,850 --> 00:38:25,739 the current base implementation and the 1124 00:38:25,740 --> 00:38:27,359 current base implementation just for its 1125 00:38:27,360 --> 00:38:29,339 execution to the internal version. 1126 00:38:29,340 --> 00:38:31,409 So to this version here you see here, the 1127 00:38:31,410 --> 00:38:33,659 first line just moves the system 1128 00:38:33,660 --> 00:38:35,369 code, no Intralytix Register 1129 00:38:36,480 --> 00:38:38,069 and then the following two lines just 1130 00:38:38,070 --> 00:38:40,649 make the call into the kernel so that 1131 00:38:40,650 --> 00:38:42,269 these two lines depend on the exact 1132 00:38:42,270 --> 00:38:43,469 operating system. 1133 00:38:43,470 --> 00:38:46,589 In this case, it's a 32 bit system. 1134 00:38:46,590 --> 00:38:49,199 And if I follow this, it just see it 1135 00:38:49,200 --> 00:38:50,699 as a center. 1136 00:38:50,700 --> 00:38:53,279 And if a now product is dysfunction 1137 00:38:53,280 --> 00:38:55,289 within it, it just does the same again. 1138 00:38:55,290 --> 00:38:56,459 It just looks the functions. 1139 00:38:56,460 --> 00:38:58,199 It replaces the first part as a jump. 1140 00:38:59,310 --> 00:39:01,589 And if I follow this code, you see here 1141 00:39:01,590 --> 00:39:03,749 that the third push 1142 00:39:03,750 --> 00:39:05,759 argument points to this blue marked area 1143 00:39:05,760 --> 00:39:08,049 here, so has just copied away 1144 00:39:08,050 --> 00:39:09,719 despite the dislocation. 1145 00:39:09,720 --> 00:39:12,119 And the problem is that I can get 1146 00:39:12,120 --> 00:39:14,069 this piece address, but just adding some 1147 00:39:14,070 --> 00:39:14,999 relative offsets. 1148 00:39:15,000 --> 00:39:16,529 So it's very easy to find the space 1149 00:39:16,530 --> 00:39:17,549 address here. 1150 00:39:17,550 --> 00:39:19,859 Then I can just extract to push, push, 1151 00:39:19,860 --> 00:39:20,909 augment. 1152 00:39:20,910 --> 00:39:22,919 This points to this location and it can 1153 00:39:22,920 --> 00:39:25,079 target chumped at this location. 1154 00:39:25,080 --> 00:39:26,969 So I can just jump over all, protect us 1155 00:39:26,970 --> 00:39:29,189 from Emet, execute 1156 00:39:29,190 --> 00:39:31,289 that system code and just return to 1157 00:39:31,290 --> 00:39:32,290 my next gatot. 1158 00:39:35,250 --> 00:39:36,749 It's easier to see the implementation of 1159 00:39:36,750 --> 00:39:38,469 it. This is a little bit more complex 1160 00:39:38,470 --> 00:39:40,469 rope chain, so I don't want to go into 1161 00:39:40,470 --> 00:39:41,470 too much detail here. 1162 00:39:43,560 --> 00:39:45,689 But it's so big because 1163 00:39:45,690 --> 00:39:47,609 it's finding itself in memory and then 1164 00:39:47,610 --> 00:39:49,559 modifying itself, that's why it's a big 1165 00:39:49,560 --> 00:39:50,560 here. 1166 00:39:51,910 --> 00:39:53,289 Now come to the last mitigation 1167 00:39:53,290 --> 00:39:55,209 technique, it's the export address table 1168 00:39:55,210 --> 00:39:56,210 access filtering. 1169 00:39:57,460 --> 00:39:59,529 The idea here is a trial court 1170 00:39:59,530 --> 00:40:01,599 typically has to pass a field, which is 1171 00:40:01,600 --> 00:40:03,249 called the address of Functions Field 1172 00:40:03,250 --> 00:40:05,499 inside the header of moderates such 1173 00:40:05,500 --> 00:40:07,629 as the Constitution base or 1174 00:40:07,630 --> 00:40:09,969 entity level module to locate 1175 00:40:09,970 --> 00:40:11,919 functions such as law library or cat 1176 00:40:11,920 --> 00:40:13,090 processing address. 1177 00:40:14,260 --> 00:40:16,969 And what it is doing is it just places 1178 00:40:16,970 --> 00:40:19,179 to break points on this field 1179 00:40:19,180 --> 00:40:20,180 here. 1180 00:40:20,650 --> 00:40:22,419 And as soon as one instructor is trying 1181 00:40:22,420 --> 00:40:24,609 to read this field, this 1182 00:40:24,610 --> 00:40:27,039 breakpoint is triggered and court 1183 00:40:27,040 --> 00:40:29,229 kicks in and can do additional 1184 00:40:29,230 --> 00:40:31,299 checks. For example, we can check if 1185 00:40:31,300 --> 00:40:32,709 the instruction belongs to Lord of 1186 00:40:32,710 --> 00:40:34,089 Mauduit and it's valid. 1187 00:40:34,090 --> 00:40:35,469 And if it's not belong to law, the 1188 00:40:35,470 --> 00:40:36,939 module, for example, it's stored on the 1189 00:40:36,940 --> 00:40:39,069 heap. It's most likely from a code and 1190 00:40:39,070 --> 00:40:41,729 that means execution can be 1191 00:40:41,730 --> 00:40:42,730 terminated. 1192 00:40:44,040 --> 00:40:45,989 And we have, again, many, many different 1193 00:40:45,990 --> 00:40:47,909 ideas, how this protection can be 1194 00:40:47,910 --> 00:40:49,769 bypassed. So, first of all, you can just 1195 00:40:49,770 --> 00:40:51,359 use, again, a rope chain because then the 1196 00:40:51,360 --> 00:40:53,579 instruction is from a load of modular or 1197 00:40:53,580 --> 00:40:55,479 we can use some other techniques. 1198 00:40:55,480 --> 00:40:57,479 But the problem with the first three 1199 00:40:57,480 --> 00:41:00,119 techniques is that we have to modify 1200 00:41:00,120 --> 00:41:02,159 the shell code, then use this technique 1201 00:41:03,540 --> 00:41:05,459 because developers are typically very 1202 00:41:05,460 --> 00:41:07,609 lazy. We can use this to 1203 00:41:07,610 --> 00:41:08,669 last approach here. 1204 00:41:08,670 --> 00:41:10,169 You can just say remove all the 1205 00:41:10,170 --> 00:41:11,789 breakpoints before executing our own 1206 00:41:11,790 --> 00:41:13,949 chokehold and to 1207 00:41:13,950 --> 00:41:14,819 remove the breakpoints. 1208 00:41:14,820 --> 00:41:16,170 We have, again, many different 1209 00:41:17,340 --> 00:41:18,340 possibilities. 1210 00:41:19,820 --> 00:41:22,039 So the main approach was developed 1211 00:41:22,040 --> 00:41:23,909 by a Pyon Jalapeno. 1212 00:41:23,910 --> 00:41:25,579 You can have a look at his blog posts 1213 00:41:25,580 --> 00:41:27,649 here, but the problem is that he was 1214 00:41:27,650 --> 00:41:29,749 using hardcoded system call numbers 1215 00:41:29,750 --> 00:41:31,819 so he U.S. assets, red contacts intend 1216 00:41:31,820 --> 00:41:34,279 to continue. Your system called to do it. 1217 00:41:34,280 --> 00:41:36,409 So what I was doing then was I just 1218 00:41:36,410 --> 00:41:38,779 used the API instead and just returned 1219 00:41:38,780 --> 00:41:40,759 to a location inside Amytal. 1220 00:41:40,760 --> 00:41:42,919 Which code? This API function, 1221 00:41:42,920 --> 00:41:45,289 but since I'm 5.0 and is also hooking 1222 00:41:45,290 --> 00:41:46,219 these functions. 1223 00:41:46,220 --> 00:41:47,569 So it's not possible to apply this 1224 00:41:47,570 --> 00:41:49,819 technique anymore unless we first 1225 00:41:49,820 --> 00:41:51,739 disable all protections using the 1226 00:41:51,740 --> 00:41:54,049 approach from a sense of security. 1227 00:41:54,050 --> 00:41:56,149 But I think this is in the 1228 00:41:56,150 --> 00:41:57,949 next releases of amateurs will not be 1229 00:41:57,950 --> 00:41:58,939 possible to apply. 1230 00:41:58,940 --> 00:42:00,949 And that's not that's why I think it's 1231 00:42:00,950 --> 00:42:02,309 not so interesting here. 1232 00:42:03,320 --> 00:42:05,539 So the first approaches are just using 1233 00:42:05,540 --> 00:42:07,219 the system code numbers. 1234 00:42:07,220 --> 00:42:08,989 But the downside is that this would just 1235 00:42:08,990 --> 00:42:10,579 work against one specific operating 1236 00:42:10,580 --> 00:42:11,239 system. 1237 00:42:11,240 --> 00:42:13,459 And so back then, 1238 00:42:13,460 --> 00:42:15,409 I fear some other techniques. 1239 00:42:15,410 --> 00:42:17,539 But for the newest version 1240 00:42:17,540 --> 00:42:19,189 of amateur, not so interesting. 1241 00:42:19,190 --> 00:42:20,449 So just skip them. 1242 00:42:20,450 --> 00:42:22,909 So just some methods 1243 00:42:22,910 --> 00:42:23,869 to do it. 1244 00:42:23,870 --> 00:42:26,029 But I think the most interesting 1245 00:42:26,030 --> 00:42:28,129 one is that we can just jump over the old 1246 00:42:28,130 --> 00:42:30,529 hooks to our clean water system called 1247 00:42:30,530 --> 00:42:33,079 as mentioned in the ROPS chapter. 1248 00:42:33,080 --> 00:42:35,789 So this technique has no disadvantage. 1249 00:42:35,790 --> 00:42:37,819 It works against all Windows versions and 1250 00:42:37,820 --> 00:42:39,379 also respects and against all Šemeta 1251 00:42:39,380 --> 00:42:40,380 versions. 1252 00:42:51,740 --> 00:42:53,839 And I come to find thoughts, amatus, 1253 00:42:53,840 --> 00:42:56,329 many, many more protector's, 1254 00:42:56,330 --> 00:42:58,489 but I think 1255 00:42:58,490 --> 00:42:59,689 these two protections, there are 1256 00:42:59,690 --> 00:43:01,909 protections and Yev are 1257 00:43:01,910 --> 00:43:04,099 the most interesting one 1258 00:43:04,100 --> 00:43:06,349 from the technical perspective. 1259 00:43:06,350 --> 00:43:08,209 And protections are, for example, the tax 1260 00:43:08,210 --> 00:43:10,599 office of DR. I can say that 1261 00:43:10,600 --> 00:43:12,889 I can trust Lord Chala from the Internet, 1262 00:43:12,890 --> 00:43:14,719 but not from the Internet. 1263 00:43:14,720 --> 00:43:17,279 Another one is, for example, scientific 1264 00:43:17,280 --> 00:43:19,309 trust, which verifies the certificates or 1265 00:43:19,310 --> 00:43:21,649 seop. But seop trust protects 1266 00:43:21,650 --> 00:43:23,809 exception, handles it from the from 1267 00:43:23,810 --> 00:43:25,039 the operating system. 1268 00:43:25,040 --> 00:43:26,479 But as soon as he can perhaps address 1269 00:43:26,480 --> 00:43:28,159 mistranslations, copies easily be 1270 00:43:28,160 --> 00:43:29,160 bypassed. 1271 00:43:30,630 --> 00:43:32,909 Then Heap's Premedication and Eyepatch 1272 00:43:32,910 --> 00:43:35,009 Location are it's very easy 1273 00:43:35,010 --> 00:43:37,109 to bypass this once it's detected, is 1274 00:43:37,110 --> 00:43:39,179 to just use an address which is not 1275 00:43:39,180 --> 00:43:40,439 protected by Emet. 1276 00:43:40,440 --> 00:43:41,759 So if you want to find out more about 1277 00:43:41,760 --> 00:43:43,919 this, just look at my slides from 1278 00:43:43,920 --> 00:43:44,879 the Roxxon. 1279 00:43:44,880 --> 00:43:46,410 But I think it's not so interesting. 1280 00:43:47,440 --> 00:43:49,439 Network address, translation and bottom 1281 00:43:49,440 --> 00:43:51,599 up randomization just increase the 1282 00:43:51,600 --> 00:43:53,819 functionality of address mistranslations. 1283 00:43:53,820 --> 00:43:55,949 But if you can address this, 1284 00:43:55,950 --> 00:43:58,169 these are papers can also 1285 00:43:58,170 --> 00:44:00,659 be bypassed and places 1286 00:44:00,660 --> 00:44:02,459 and interesting protection because it 1287 00:44:02,460 --> 00:44:04,679 should protect my current 1288 00:44:04,680 --> 00:44:05,999 exploit my current version of the 1289 00:44:06,000 --> 00:44:08,219 exploit. But it doesn't I don't really 1290 00:44:08,220 --> 00:44:09,899 know why, but we are currently discussing 1291 00:44:09,900 --> 00:44:11,729 this situation with Microsoft. 1292 00:44:11,730 --> 00:44:13,799 But even if it would protect against 1293 00:44:13,800 --> 00:44:15,119 my current version of the exploit, it 1294 00:44:15,120 --> 00:44:17,519 would not be too hard to extent exploit 1295 00:44:17,520 --> 00:44:18,750 to or to bypass this one. 1296 00:44:20,890 --> 00:44:23,469 I have here a quick recap of 1297 00:44:23,470 --> 00:44:24,470 just awful. 1298 00:44:25,330 --> 00:44:27,549 We'll just skip this one here, just 1299 00:44:27,550 --> 00:44:29,590 a summary of what I have told you today. 1300 00:44:32,200 --> 00:44:33,439 View from that contact would really 1301 00:44:33,440 --> 00:44:34,669 appreciate the work together with 1302 00:44:34,670 --> 00:44:36,919 Microsoft on improving the results of 1303 00:44:36,920 --> 00:44:38,869 image releases with many, many different 1304 00:44:38,870 --> 00:44:41,299 ideas, how it can be improved, 1305 00:44:41,300 --> 00:44:43,339 but of course, no protection is 100 1306 00:44:43,340 --> 00:44:44,389 percent bulletproof. 1307 00:44:45,710 --> 00:44:48,249 I fear a demonstration with you 1308 00:44:48,250 --> 00:44:50,839 there, I can see the explode in action. 1309 00:44:50,840 --> 00:44:52,389 See, everything is green, so all 1310 00:44:52,390 --> 00:44:53,409 protectors are enabled. 1311 00:44:53,410 --> 00:44:54,609 Firefox is protected. 1312 00:44:56,170 --> 00:44:58,239 Then you're all protectors are 1313 00:44:58,240 --> 00:45:00,489 enabled. If you click advanced 1314 00:45:00,490 --> 00:45:02,579 options step, you see that the 1315 00:45:02,580 --> 00:45:04,779 expanded access, filtering plus 1316 00:45:04,780 --> 00:45:06,340 protections configured correctly. 1317 00:45:08,310 --> 00:45:10,379 And if now start, Firefox is the 1318 00:45:10,380 --> 00:45:12,389 old explorer just out to bypass us. 1319 00:45:17,870 --> 00:45:20,009 You see that it's crashing and detected 1320 00:45:20,010 --> 00:45:21,079 that the tech is ongoing. 1321 00:45:32,280 --> 00:45:34,469 And if I restart Firefox and refresh 1322 00:45:34,470 --> 00:45:35,580 the Trotskyist. 1323 00:45:36,800 --> 00:45:39,019 See, it's still protected, and 1324 00:45:39,020 --> 00:45:41,659 for now you have one Mr. Bypass, 1325 00:45:41,660 --> 00:45:43,010 that calculator's points up. 1326 00:45:51,830 --> 00:45:54,079 And you ought to see that Firefox 1327 00:45:54,080 --> 00:45:56,209 is not crashing, so we can just execute 1328 00:45:56,210 --> 00:45:58,399 the plot again and again and 1329 00:45:58,400 --> 00:46:00,259 the victim really knows nothing, that 1330 00:46:00,260 --> 00:46:01,400 there is something ongoing, 1331 00:46:02,450 --> 00:46:04,429 I fear a summary of the workload. 1332 00:46:04,430 --> 00:46:06,769 So I think the initial exploit out 1333 00:46:06,770 --> 00:46:09,019 and the bypasses was 1334 00:46:09,020 --> 00:46:10,729 quite easy. So it just took me about 1335 00:46:10,730 --> 00:46:11,839 three to five days. 1336 00:46:11,840 --> 00:46:13,759 I think if you really tried to make it 1337 00:46:13,760 --> 00:46:16,129 very fast, you can do it in one day. 1338 00:46:16,130 --> 00:46:18,289 But yeah, I was doing 1339 00:46:18,290 --> 00:46:19,789 this in my free time, so I was watching 1340 00:46:19,790 --> 00:46:20,899 TV and stuff like that. 1341 00:46:20,900 --> 00:46:22,999 I am doing this. So it just took me three 1342 00:46:23,000 --> 00:46:24,379 days. 1343 00:46:24,380 --> 00:46:26,569 And then I think the first bypass 1344 00:46:26,570 --> 00:46:28,279 really was high effort. 1345 00:46:28,280 --> 00:46:29,779 I can't estimate and can tell you how 1346 00:46:29,780 --> 00:46:31,939 long it took, but it's easier to exploit. 1347 00:46:31,940 --> 00:46:34,069 Cornfed has about five thousand lines of 1348 00:46:34,070 --> 00:46:35,899 code, so it's really huge. 1349 00:46:35,900 --> 00:46:38,119 So it took me a really 1350 00:46:38,120 --> 00:46:39,169 much time. 1351 00:46:39,170 --> 00:46:41,449 But my idea was that I just 1352 00:46:41,450 --> 00:46:43,519 developed many, many different ideas to 1353 00:46:43,520 --> 00:46:45,199 bypass these mitigation techniques. 1354 00:46:45,200 --> 00:46:47,299 So it just showed you hear some of the 1355 00:46:47,300 --> 00:46:49,009 techniques which can be used. 1356 00:46:49,010 --> 00:46:51,529 And that means I can just configure also. 1357 00:46:51,530 --> 00:46:53,839 If at the time Šemeta updated itself 1358 00:46:53,840 --> 00:46:55,520 to 5.0, 1359 00:46:56,570 --> 00:46:58,959 it was quite easy to mitigate the great 1360 00:46:58,960 --> 00:47:00,799 exploit. It just took me five minutes 1361 00:47:00,800 --> 00:47:02,869 because I just had to configure to 1362 00:47:02,870 --> 00:47:05,449 use other techniques and 1363 00:47:05,450 --> 00:47:07,279 add four lines of code because I had to 1364 00:47:07,280 --> 00:47:10,039 pass two additional simple instructions. 1365 00:47:10,040 --> 00:47:11,479 So I'm passing through the simple 1366 00:47:11,480 --> 00:47:12,979 instructions and saying if it's a push, 1367 00:47:12,980 --> 00:47:15,139 it's the size of five and just had to 1368 00:47:15,140 --> 00:47:17,509 add to have such instructions. 1369 00:47:17,510 --> 00:47:19,759 And the same applies for the 1370 00:47:19,760 --> 00:47:22,459 release of five to one. 1371 00:47:22,460 --> 00:47:24,919 So this is the current version of it 1372 00:47:24,920 --> 00:47:27,349 took me about 40 minutes because 1373 00:47:27,350 --> 00:47:29,799 they tried to break my Escandon 1374 00:47:29,800 --> 00:47:31,909 down approach. So I'm looking at pointer 1375 00:47:31,910 --> 00:47:32,929 to delay. 1376 00:47:32,930 --> 00:47:35,029 And from this point I just got done what 1377 00:47:35,030 --> 00:47:36,289 until I find to be header 1378 00:47:37,640 --> 00:47:39,739 and see it on the next 1379 00:47:39,740 --> 00:47:40,740 slide. 1380 00:47:41,640 --> 00:47:43,869 So these are the sectors of a 1381 00:47:43,870 --> 00:47:45,839 this is the header and does the tech 1382 00:47:45,840 --> 00:47:48,029 sector so have a pointer inside this tech 1383 00:47:48,030 --> 00:47:50,059 section and then I just go downwards. 1384 00:47:50,060 --> 00:47:51,269 So your 1385 00:47:52,650 --> 00:47:55,049 dislocation to find the header 1386 00:47:55,050 --> 00:47:56,399 and to see that there is no gap in 1387 00:47:56,400 --> 00:47:58,559 between. So if you add to 1388 00:47:58,560 --> 00:48:00,389 the space address, you're the size, which 1389 00:48:00,390 --> 00:48:02,459 is 1000, you would end 1390 00:48:02,460 --> 00:48:04,619 up exactly with this address here. 1391 00:48:04,620 --> 00:48:06,119 So it's exactly the address of the text 1392 00:48:06,120 --> 00:48:08,219 section. The same applies for 1393 00:48:08,220 --> 00:48:09,779 M at 5.0. 1394 00:48:09,780 --> 00:48:11,969 So if you add up here, this one, 1395 00:48:11,970 --> 00:48:14,069 you come up to the next address 1396 00:48:14,070 --> 00:48:16,079 and what embeddable stand doing in and at 1397 00:48:16,080 --> 00:48:18,419 five to one was that 1398 00:48:18,420 --> 00:48:21,629 if I let you this one thousand, 1399 00:48:21,630 --> 00:48:23,309 I don't come to this tech section. 1400 00:48:23,310 --> 00:48:25,469 So there's a hole in between 1401 00:48:25,470 --> 00:48:27,689 this unsnapped memory and for try 1402 00:48:27,690 --> 00:48:29,909 to scan down, I just 1403 00:48:29,910 --> 00:48:32,129 access this memory, just segmentation 1404 00:48:32,130 --> 00:48:34,079 for thing. So what I'm doing, instead of 1405 00:48:34,080 --> 00:48:35,519 just search for the start of the tech 1406 00:48:35,520 --> 00:48:37,619 section and then I can just 1407 00:48:37,620 --> 00:48:39,629 substract the relative offset of it to 1408 00:48:39,630 --> 00:48:41,699 reach the header or I 1409 00:48:41,700 --> 00:48:43,769 don't really have to extract 1410 00:48:43,770 --> 00:48:45,809 all. So it's quite easy to bypass this 1411 00:48:45,810 --> 00:48:46,810 one. 1412 00:48:47,390 --> 00:48:49,069 You see here, it's also working against 1413 00:48:49,070 --> 00:48:51,349 the newest version of Emmott, just verify 1414 00:48:51,350 --> 00:48:52,899 two days ago that this is the actual 1415 00:48:52,900 --> 00:48:53,900 version. 1416 00:48:56,740 --> 00:48:58,629 Yeah, yeah, you have some contact 1417 00:48:58,630 --> 00:48:59,739 information. 1418 00:48:59,740 --> 00:49:01,269 And just remember that we are currently 1419 00:49:01,270 --> 00:49:02,329 searching for a new employer. 1420 00:49:02,330 --> 00:49:04,239 So you're interested that you can just 1421 00:49:04,240 --> 00:49:06,339 drop me a mail or send to 1422 00:49:06,340 --> 00:49:07,340 our office or mail? 1423 00:49:08,320 --> 00:49:10,179 Yeah. Thank you for your attention and if 1424 00:49:10,180 --> 00:49:11,180 you have any questions. 1425 00:49:18,800 --> 00:49:20,719 Thank you for this very nice talk to me 1426 00:49:20,720 --> 00:49:22,519 if you have any questions, please do line 1427 00:49:22,520 --> 00:49:24,739 up at the six microphones we have here 1428 00:49:24,740 --> 00:49:25,740 at the ground level. 1429 00:49:26,900 --> 00:49:27,979 While you're doing this quick 1430 00:49:27,980 --> 00:49:30,109 announcement today at 1431 00:49:30,110 --> 00:49:32,269 5:00 pm at the ferry dust rocket 1432 00:49:32,270 --> 00:49:34,279 in front of the building, there will be a 1433 00:49:34,280 --> 00:49:37,049 meeting for the flight 1434 00:49:37,050 --> 00:49:38,719 to freedom, not fear demonstration. 1435 00:49:38,720 --> 00:49:40,999 If you want to join them, just go down 1436 00:49:41,000 --> 00:49:42,139 there at 5pm today. 1437 00:49:43,220 --> 00:49:45,109 We have a question at microphone number 1438 00:49:45,110 --> 00:49:46,459 two. 1439 00:49:46,460 --> 00:49:48,079 OK, thanks for the very interesting 1440 00:49:48,080 --> 00:49:49,080 thought. 1441 00:49:49,730 --> 00:49:50,659 What I wanted to know. 1442 00:49:50,660 --> 00:49:52,609 So you said that after the rough terrain, 1443 00:49:52,610 --> 00:49:55,339 you can return execution to it, right? 1444 00:49:55,340 --> 00:49:57,559 Yeah, I have it on the slide 1445 00:49:57,560 --> 00:49:58,869 that this requires some 1446 00:49:59,930 --> 00:50:02,059 some conditions. So it must be able to 1447 00:50:02,060 --> 00:50:04,249 trigger the winnability without 1448 00:50:04,250 --> 00:50:05,659 crashing duplications. 1449 00:50:05,660 --> 00:50:07,429 And of course, you need some scripting 1450 00:50:07,430 --> 00:50:09,079 support. So if you attack a local 1451 00:50:09,080 --> 00:50:10,849 application, it's not apply. 1452 00:50:10,850 --> 00:50:13,309 OK, but the question is, what if 1453 00:50:13,310 --> 00:50:15,919 the Rob gadget's you're using 1454 00:50:15,920 --> 00:50:18,379 changes the value of some calice 1455 00:50:18,380 --> 00:50:20,659 the registers because 1456 00:50:20,660 --> 00:50:22,849 then it could do like spoiled execution 1457 00:50:22,850 --> 00:50:24,829 of the rest of the, you know, the 1458 00:50:24,830 --> 00:50:27,169 environment, JavaScript environment. 1459 00:50:27,170 --> 00:50:28,519 Sorry. Again, it didn't. 1460 00:50:28,520 --> 00:50:30,829 So if one of the Arab gadgets changes 1461 00:50:30,830 --> 00:50:33,320 the value of kholi saved register, 1462 00:50:34,370 --> 00:50:36,469 it will not be restored when you 1463 00:50:36,470 --> 00:50:38,659 return. And so there's the risk to 1464 00:50:38,660 --> 00:50:40,489 spoil the execution of the JavaScript 1465 00:50:40,490 --> 00:50:41,490 environment. 1466 00:50:42,240 --> 00:50:44,009 Ah, what I'm doing is I just fix 1467 00:50:44,010 --> 00:50:46,529 everything before returning, so 1468 00:50:46,530 --> 00:50:48,360 I'd just touch that. 1469 00:50:49,540 --> 00:50:52,169 Ah, this case, I'm just 1470 00:50:52,170 --> 00:50:54,359 touching the data structure but you don't 1471 00:50:54,360 --> 00:50:56,559 really have to execute a Getchell at all. 1472 00:50:56,560 --> 00:50:58,259 You can just you started winnability in 1473 00:50:58,260 --> 00:51:00,459 this case. So, for example, 1474 00:51:00,460 --> 00:51:02,399 I have really abstracted many things away 1475 00:51:02,400 --> 00:51:04,139 from this presentation to make it very 1476 00:51:04,140 --> 00:51:05,039 basic. 1477 00:51:05,040 --> 00:51:06,239 But what you can do is with the 1478 00:51:06,240 --> 00:51:08,219 vulnerability you can directly, instead 1479 00:51:08,220 --> 00:51:09,989 of executing a rope chain, you can 1480 00:51:09,990 --> 00:51:11,489 directly right to memory. 1481 00:51:11,490 --> 00:51:13,049 So you don't really have to use a chain 1482 00:51:13,050 --> 00:51:14,789 to write to memory at all. 1483 00:51:14,790 --> 00:51:16,859 So, for example, if 1484 00:51:16,860 --> 00:51:18,029 I go back, you. 1485 00:51:23,000 --> 00:51:24,199 So, see, you're the second. 1486 00:51:26,250 --> 00:51:27,749 The second example in this case. 1487 00:51:41,540 --> 00:51:44,149 Here you are in the second example, 1488 00:51:44,150 --> 00:51:46,009 tells you that you can use this advanced 1489 00:51:46,010 --> 00:51:48,589 country use technique to write to memory. 1490 00:51:48,590 --> 00:51:49,850 So what you can do is. 1491 00:51:51,800 --> 00:51:54,319 You can generate an array of memory 1492 00:51:54,320 --> 00:51:56,419 and redirect the right of disarray 1493 00:51:56,420 --> 00:51:58,369 to override the data structures, for 1494 00:51:58,370 --> 00:52:00,049 example, that don't really have to 1495 00:52:00,050 --> 00:52:01,239 execute a doctrine at all. 1496 00:52:04,960 --> 00:52:06,780 Are there any more questions? 1497 00:52:08,340 --> 00:52:10,289 There is a question from our signal Angel 1498 00:52:10,290 --> 00:52:12,649 on Iasi, yes, is 1499 00:52:12,650 --> 00:52:14,449 Emet often used as a company? 1500 00:52:16,620 --> 00:52:19,169 I didn't really see it very often because 1501 00:52:19,170 --> 00:52:21,149 the problem is with their compatibility. 1502 00:52:21,150 --> 00:52:23,519 So for example, if I'm using at home my 1503 00:52:23,520 --> 00:52:25,589 Firefox is just crashing or three or four 1504 00:52:25,590 --> 00:52:27,599 days because Mezzeh is that that's an 1505 00:52:27,600 --> 00:52:29,549 attack. But in reality, that's not a 1506 00:52:29,550 --> 00:52:31,889 Texas has a high false 1507 00:52:31,890 --> 00:52:33,179 positive rate. 1508 00:52:33,180 --> 00:52:35,249 And I think that's the main problem 1509 00:52:35,250 --> 00:52:36,449 of it. 1510 00:52:36,450 --> 00:52:38,549 But and I also think that's 1511 00:52:38,550 --> 00:52:40,409 a problem, that it's not so easy to 1512 00:52:40,410 --> 00:52:42,269 deploy into domain. 1513 00:52:42,270 --> 00:52:44,159 So, yes, thank you. 1514 00:52:45,770 --> 00:52:47,389 Any more questions? 1515 00:52:47,390 --> 00:52:49,069 Yes. Microphone number two, please. 1516 00:52:49,070 --> 00:52:50,809 And do you consider Windows secure to 1517 00:52:50,810 --> 00:52:53,630 operate in a corporation organizations? 1518 00:52:55,720 --> 00:52:56,720 Sorry. 1519 00:52:57,080 --> 00:52:59,269 Would you recommend deploying windows 1520 00:52:59,270 --> 00:53:00,830 within organizations 1521 00:53:01,910 --> 00:53:02,659 windows? 1522 00:53:02,660 --> 00:53:04,849 Yes, it's hard 1523 00:53:04,850 --> 00:53:08,059 to say, but in my opinion, 1524 00:53:08,060 --> 00:53:10,369 in my opinion, in the basic configuration 1525 00:53:10,370 --> 00:53:12,529 of windows, it's harder to exploit Linux 1526 00:53:12,530 --> 00:53:15,549 because Linux you have to 1527 00:53:15,550 --> 00:53:16,550 to compile it, 1528 00:53:18,770 --> 00:53:21,229 because in my opinion, you have to 1529 00:53:21,230 --> 00:53:23,329 Linux, you have to add the compiler 1530 00:53:23,330 --> 00:53:25,249 flack for PI for position dependent 1531 00:53:25,250 --> 00:53:27,319 executables that addresses 1532 00:53:27,320 --> 00:53:28,999 the reputation is really effective. 1533 00:53:29,000 --> 00:53:31,069 So if it's just compiler and executable 1534 00:53:31,070 --> 00:53:33,259 in Linux, it's not relocated 1535 00:53:33,260 --> 00:53:34,809 to another to another location. 1536 00:53:34,810 --> 00:53:36,079 So the code section will be always at the 1537 00:53:36,080 --> 00:53:37,399 same location. 1538 00:53:37,400 --> 00:53:39,139 And the problem is that many standard 1539 00:53:39,140 --> 00:53:41,239 applications have 1540 00:53:41,240 --> 00:53:43,339 not addressed limitation there. 1541 00:53:43,340 --> 00:53:45,889 And the situation is better on Windows. 1542 00:53:47,220 --> 00:53:49,079 But it just depends, 1543 00:53:50,100 --> 00:53:51,929 because if more people are using windows 1544 00:53:51,930 --> 00:53:54,119 that take us, try to attack windows and 1545 00:53:54,120 --> 00:53:55,120 yell. 1546 00:53:57,170 --> 00:53:58,210 Any more questions? 1547 00:54:01,860 --> 00:54:04,529 No, seems like we have two 1548 00:54:04,530 --> 00:54:06,449 additional questions from our side. 1549 00:54:06,450 --> 00:54:08,909 Yeah, um, uh, have you tested 1550 00:54:08,910 --> 00:54:11,489 this technique with other exploits? 1551 00:54:13,290 --> 00:54:15,599 Uh, I have 1552 00:54:15,600 --> 00:54:17,519 tested this with a test of his test 1553 00:54:17,520 --> 00:54:19,259 application for myself. 1554 00:54:19,260 --> 00:54:21,629 And I also verified that it is working 1555 00:54:21,630 --> 00:54:23,819 for, uh, for falsely 1556 00:54:23,820 --> 00:54:26,819 exploit, but with other 1557 00:54:26,820 --> 00:54:28,649 prospects because I didn't test it is 1558 00:54:28,650 --> 00:54:30,719 because I know it's just working because, 1559 00:54:30,720 --> 00:54:33,059 um, because I 1560 00:54:33,060 --> 00:54:34,979 have built everything based on emptily. 1561 00:54:34,980 --> 00:54:37,079 But in this case, this special 1562 00:54:37,080 --> 00:54:39,359 ability really allows me to do much stuff 1563 00:54:39,360 --> 00:54:40,919 because I can just read from memory, I 1564 00:54:40,920 --> 00:54:43,169 can write to memory as I like, 1565 00:54:43,170 --> 00:54:44,849 and I'm not questioning anything, so I 1566 00:54:44,850 --> 00:54:46,319 can just read it again and again. 1567 00:54:46,320 --> 00:54:47,699 So in this case, it's quite easy to do 1568 00:54:47,700 --> 00:54:49,980 it. If you really have to bypass 1569 00:54:51,000 --> 00:54:53,069 a local application like pharmacy 1570 00:54:53,070 --> 00:54:54,689 or something like that, everything 1571 00:54:54,690 --> 00:54:56,249 becomes a little bit harder because you 1572 00:54:56,250 --> 00:54:58,229 cannot apply to advance coproduced 1573 00:54:58,230 --> 00:55:00,599 technique so that you cannot execute task 1574 00:55:00,600 --> 00:55:02,759 called inside a local application. 1575 00:55:02,760 --> 00:55:04,469 And that means you have to implement 1576 00:55:04,470 --> 00:55:06,299 everything inside the rope chain. 1577 00:55:06,300 --> 00:55:07,799 And that means everything becomes really 1578 00:55:07,800 --> 00:55:09,609 hard because you don't have to make an 1579 00:55:09,610 --> 00:55:11,639 additional jumps to ensure that it 1580 00:55:11,640 --> 00:55:13,119 reliable against all different kinds of 1581 00:55:13,120 --> 00:55:14,399 operating systems. 1582 00:55:14,400 --> 00:55:15,469 But it's still possible. 1583 00:55:17,090 --> 00:55:18,979 We have another question from microphone 1584 00:55:18,980 --> 00:55:20,199 number three. 1585 00:55:20,200 --> 00:55:23,269 Hey, thank you for the presentation. 1586 00:55:23,270 --> 00:55:25,249 Are there any plans to implement some of 1587 00:55:25,250 --> 00:55:27,109 those protections on the colonel side? 1588 00:55:27,110 --> 00:55:29,239 I mean, I've seen Hope Gardens, 1589 00:55:29,240 --> 00:55:31,339 Sentinel by Corps and Emet, 1590 00:55:31,340 --> 00:55:32,689 everything is implemented on the 1591 00:55:32,690 --> 00:55:34,759 USERSPACE and some of those 1592 00:55:34,760 --> 00:55:36,889 protection, I assume, and I know could be 1593 00:55:36,890 --> 00:55:37,879 implemented. 1594 00:55:37,880 --> 00:55:39,959 Colonel, I just want to know why. 1595 00:55:39,960 --> 00:55:42,109 I just know that implements the 1596 00:55:42,110 --> 00:55:43,609 nitpicks protection. 1597 00:55:43,610 --> 00:55:44,989 This is a protection for current 1598 00:55:44,990 --> 00:55:46,789 vulnerabilities, but I'm not aware of 1599 00:55:46,790 --> 00:55:48,259 other tools to implement anything 1600 00:55:48,260 --> 00:55:50,419 internal for windows. 1601 00:55:50,420 --> 00:55:51,589 So sorry. 1602 00:55:51,590 --> 00:55:52,939 I don't know. 1603 00:55:52,940 --> 00:55:54,949 Another question from our Segolene Royal. 1604 00:55:54,950 --> 00:55:56,269 Um, yes. 1605 00:55:56,270 --> 00:55:58,399 Isn't the size of expert court 1606 00:55:58,400 --> 00:56:00,469 phone lines of court with or without 1607 00:56:00,470 --> 00:56:02,659 Emet and five thousand with 1608 00:56:03,730 --> 00:56:05,419 huge uterine in terms of added 1609 00:56:05,420 --> 00:56:06,739 complexity? 1610 00:56:06,740 --> 00:56:08,839 Yeah, that's I think that's the idea of 1611 00:56:08,840 --> 00:56:09,799 šemeta. 1612 00:56:09,800 --> 00:56:12,409 What they say it is that they know that 1613 00:56:12,410 --> 00:56:14,719 it can be broken, but they just want to 1614 00:56:14,720 --> 00:56:16,819 add additional workload for the attacker. 1615 00:56:16,820 --> 00:56:20,029 So if I would be an attacker 1616 00:56:20,030 --> 00:56:22,219 and 100 percent go 1617 00:56:22,220 --> 00:56:24,619 to my website and just one person as 1618 00:56:24,620 --> 00:56:26,719 a neighbor, it would not make 1619 00:56:26,720 --> 00:56:28,519 it sink. It would not make any sense to 1620 00:56:28,520 --> 00:56:30,679 add bypasses for Anne-Mette because 1621 00:56:30,680 --> 00:56:32,779 it's just one person, which I miss. 1622 00:56:32,780 --> 00:56:35,089 But if more persons would use Emet, 1623 00:56:35,090 --> 00:56:37,169 I would add this work 1624 00:56:37,170 --> 00:56:38,170 additional workload. 1625 00:56:39,290 --> 00:56:41,629 But in this five thousand 1626 00:56:41,630 --> 00:56:43,699 lines of code, I really have implemented 1627 00:56:43,700 --> 00:56:45,259 many, many Pybus techniques. 1628 00:56:45,260 --> 00:56:46,939 So if you just want to bypass it one 1629 00:56:46,940 --> 00:56:48,589 time, it's quite easy. 1630 00:56:48,590 --> 00:56:50,599 For example, the exploitation code from 1631 00:56:50,600 --> 00:56:52,699 offensive security has about 300 lines of 1632 00:56:52,700 --> 00:56:54,349 code or something like that and can also 1633 00:56:54,350 --> 00:56:55,549 bypass Emet. 1634 00:56:55,550 --> 00:56:57,379 But in my case, five thousand lines of 1635 00:56:57,380 --> 00:56:59,539 code are generated because I have 1636 00:56:59,540 --> 00:57:02,029 implemented about six or 10 1637 00:57:02,030 --> 00:57:03,979 methods to bypass each protector. 1638 00:57:03,980 --> 00:57:05,840 So that's why it's so much. 1639 00:57:08,910 --> 00:57:11,009 I think we have no further 1640 00:57:11,010 --> 00:57:13,269 questions from the audience, thank you 1641 00:57:13,270 --> 00:57:14,280 of the fine Gullberg.