Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP Black Hat Asia 2021 Bramwell Brizendine, Ph.D. Director, VERONA Lab Assistant Professor, Dakota State University [email protected] Austin Babcock Security Researcher, VERONA Lab [email protected] TABLE OF CONTENTS Abstract ......................................................................................................................................................... 4 1. Introduction .............................................................................................................................................. 4 1.1 Terminology .................................................................................................................................. 5 2. Jump-Oriented Programming Fundamentals ........................................................................................... 6 2.1 JOP in Other Environments ................................................................................................................. 9 3. JOP ROCKET ............................................................................................................................................... 9 3.1 Research Problem ............................................................................................................................... 9 3.2 Design of JOP ROCKET ....................................................................................................................... 10 3.3 Finding Dispatcher Gadgets with JOP ROCKET ................................................................................. 11 3.4 Alternative Forms of the Dispatcher Gadget .................................................................................... 12 3.5 Storing JOP Gadgets .......................................................................................................................... 13 3.6 Static Analysis Considerations .......................................................................................................... 13 3.7 Scanning Binaries .............................................................................................................................. 14 3.8 Filtering based on Mitigations and Bad Bytes................................................................................... 14 3.9 Research Contributions of JOP ROCKET ............................................................................................ 15 3.10 Usage of JOP ROCKET ...................................................................................................................... 15 3.10.1 Print Submenu ......................................................................................................................... 16 3.10.2 JOP Chains submenu ................................................................................................................ 16 3.10.3 Other Options .......................................................................................................................... 17 3.10.4 Memory Issues with Very Large Applications .......................................................................... 17 4. Novel Variation on JOP Using a Series of Stack Pivots ............................................................................ 17 4.1 Automatic Generation of JOP and ROP Chains with Formulas ......................................................... 18 4.2 Design for Automatic Generation of JOP Chain to Bypass DEP ........................................................ 20 5. Novel Variation on Dispatcher Gadget ................................................................................................... 22 6. Manual techniques for Writing a JOP Exploit ......................................................................................... 24 6.1 Changing Control Flow with Dispatcher Gadgets ............................................................................. 24 6.1.1 The Ideal Gadget ........................................................................................................................ 24 6.1.2 Other Single-Gadget Examples .................................................................................................. 25 6.1.3 Two-Gadget Dispatcher ............................................................................................................. 27 6.2 Choosing Dispatch Registers ............................................................................................................. 28 6.2.1 Dispatch Table Register .............................................................................................................. 28 6.2.2 Dispatcher Gadget Register ....................................................................................................... 29 6.3 Dispatch Table Location .................................................................................................................... 31 2 6.4 Loading Initial Values for DG and DT into Registers ......................................................................... 31 6.4.1 Using JOP Setup Gadget ............................................................................................................. 31 6.5 Using ROP Setup Gadget ................................................................................................................... 33 6.6 Gadgets Ending in the Call ................................................................................................................ 34 6.7 Avoiding Bad Bytes ............................................................................................................................ 34 6.7.1 Avoiding Bad Bytes with JOP Gadgets ....................................................................................... 35 6.8 Potential Payloads ............................................................................................................................. 36 6.8.1 VirtualProtect ............................................................................................................................. 37 6.8.2 VirtualAlloc + WriteProcessMem/Memmove/Memcpy ............................................................ 38 6.9 Writing Parameters for API Function Calls ........................................................................................ 38 6.9.1 PUSH ........................................................................................................................................... 38 6.9.2 MOV DWORD PTR ...................................................................................................................... 40 6.9.3 Stack Pivots ................................................................................................................................ 42 6.10 Dereferencing Function Pointers .................................................................................................... 42 6.11 Switching Registers ......................................................................................................................... 43 6.11.1 Switching Dispatcher Gadget Registers ................................................................................... 43 6.11.2 Switching Dispatch Table Registers.......................................................................................... 44 6.12 Bypassing ASLR with JOP ................................................................................................................. 45 6.13 Using JOP as ROP ............................................................................................................................ 46 6.14 Manual Approach to Using a Series of Stack Pivots ........................................................................ 47 7. CFI Mitigations ........................................................................................................................................ 48 7.1 Control Flow Guard ........................................................................................................................... 49 7.2 Control-Flow Enforcement Technology ............................................................................................ 49 7.3 Extreme Flow Guard ......................................................................................................................... 50 7.4 Overcoming CFG ............................................................................................................................... 51 8. Alternative Paradigm of JOP with Dereferences..................................................................................... 52 8.1 Control Flow Mechanics .................................................................................................................... 52 8.2 Finding the Dispatch Table in Memory ............................................................................................. 54 8.3 JOP ROCKET Limitations with this Paradigm of JOP .......................................................................... 54 9. Conclusions ............................................................................................................................................. 54 9.1 Novel Contributions .......................................................................................................................... 55 9.2 Limitations ........................................................................................................................................