logo

The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy

Conference:  Defcon 27

2019-08-01

Summary

The presentation discusses Jump Oriented Programming (JOP) and introduces the JOP Rocket, a tool for discovering functional and dispatcher gadgets in Windows environments.
  • JOP creates a side door to bypass exploit chain mitigations and execute shellcode
  • JOP differs from Return Oriented Programming (ROP) in that it uses jump and call instructions instead of relying on the stack for control flow
  • The JOP Rocket is a Python script that performs static analysis and features a command line user interface with flexible gadget discovery options
  • The JOP Rocket can be used to scan executables and their associated modules for functional and dispatcher gadgets
  • The JOP Rocket's minimalist user interface allows for easy establishment of registers of interest and scope
In the late 1300s, rocket cats were used to deliver explosives to well-defended castles. Similarly, the JOP Rocket tool aims to deliver malicious payloads by subverting defenses and bypassing exploit chain mitigations.

Abstract

Return-oriented Programming (ROP) has been the predominate code-reuse attack for over a decade, but there are other options. Many mitigations can detect ROP due to heuristics, but these fail to detect Jump-oriented Programming (JOP). The JOP ROCKET is a reverse engineering framework dedicated to facilitating JOP exploits. It allows hackers to discover JOP gadgets. This includes dispatcher gadget's, which helps to subvert and direct the control flow, and functional gadgets, our primitives. This tool provides numerous options to give hackers flexibility on how to find gadgets, to narrow and expand possibilities. Additionally, the tool uses opcode-splitting to discover many unintended gadgets. All gadgets are classified based on operation as well as registers used and affected. Thus, hackers could easily obtain the desired functional gadgets, such as MOV EBX, [VALUE], using simple language commands. Because of JOP's much more complex set up, the tool provides this classification, so time isn’t wasted hunting through results. JOP is rarely done in the wild. Part of that complexity is in set up, but another part is the lack of dedicated tools. Having to find JOP gadgets manually could be time-consuming and require expertise. JOP ROCKET simplifies that, allowing the JOP gadgets to be found quickly and easily. This talk will give brief content on ROP, and then it introduces JOP and its history. Then we will dive into JOP ROCKET, discussing its features, how to use it to find JOP gadgets, and how to set up your own JOP exploit. We will then demo the tool.

Materials:

Tags:

Post a comment

Related work

Conference:  Defcon 31
Authors: Dr. Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville, Shiva Shashank Kusuma Master's Student, University of Alabama in Huntsville
2023-08-01