Exploiting Windows Exploit Mitigation for ROP Exploits

Conference:  Defcon 27



The presentation discusses the importance of understanding and exploiting Windows vulnerabilities, as well as the need for faster response to threats in the security industry.
  • The speaker emphasizes the need for a bridge between exploiting software and writing shellcode to memory and running it.
  • The presentation discusses the evolution of Windows vulnerabilities and how they can be exploited.
  • The speaker explains the concept of terminal-oriented programming of hope and how it can be used to reuse existing code in memory by leveraging stack semantics.
  • The presentation also discusses the need for faster response to threats in the security industry and the potential for utilizing the brains and Academy to do so.
The speaker demonstrates the injection of a hope into a calculator and explains how endpoint protection can be bypassed.


“A concept is a brick. It can be used to build a courthouse of reason. Or it can be thrown through the window.” ― Gilles Deleuze Ever since Smashing the Stack For Fun And Profit was published by Aleph One almost a quarter century ago the security world has completely changed the way it defends exploitation. Canary stack, DEP, ASLR, CFI and various other mitigation techniques were developed to address various exploit techniques. Yet, ROP remains a prominent practice employed by many exploits even today. ROP is the most common exploitation method for attackers to mutate memory bugs on target process into malicious executable code. “Next Gen” endpoint security products try to address ROP and other exploitation methods. Windows embraces many mitigation techniques as well. However, these mitigation features such as CFG can in fact be leveraged and increase ROP’s attack surface and allow it to even bypass exploit protections! If you are intrigued by ROP, want to learn about methods in Windows that protect against ROP and how to bypass them - this talk is for you! On top of that a novel method of bypassing ROP mitigation of most products will also be revealed.



Post a comment

Related work

Conference:  Defcon 31
Authors: Dr. Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville, Shiva Shashank Kusuma Master's Student, University of Alabama in Huntsville

Conference:  Defcon 31
Authors: Alessandro Magnosi Principal Security Consultant - BSI, Arash Parsa, Athanasios "trickster0" Tserpelis Red Teamer and Malware Developer