Bypassing EMET 3.5′s ROP Mitigations

Discussion in 'other anti-malware software' started by ZeroDay, Sep 27, 2012.

Thread Status:
Not open for further replies.
  1. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Any truth in this article?

    https://repret.wordpress.com/2012/08/08/bypassing-emet-3-5s-rop-mitigations/
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, it's true. This was discussed in the EMET topic.

    Unfortunately for Windows users there are a select few areas of a programs address space that will always remain static - no matter if you're using EMET or ASLR Always On or not.

    This demonstrates that even a single area of address space is sufficient for an attacker to bypass ASLR.

    Once they've done that it's a matter of bypassing EMET's new Anti-ROP mitigations, which isn't very difficult.

    This doesn't mean EMET is 'broken' or 'weak' - it's still going to protect you from exploits, it's still going to make exploits harder to write, and generic exploitation of a program running EMET is still difficult.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very true:)
     
  4. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Thank you Hungry Man.
     
Loading...
Similar Threads
  1. emmjay
    Replies:
    5
    Views:
    760
  2. lodore
    Replies:
    3
    Views:
    650
Thread Status:
Not open for further replies.