Tweaking Metasploit Modules To Bypass EMET – Part 2

We continue our series of tweaking Metasploit modules to bypass EMET, without changing Metasploit’s payloads. Last time, we talked about bypassing EMET’s EAF using SEH. Since this technique may not necessarily fit your exploit, we present a second technique that bypasses EMET’s EAF without using SEH or changing Metasploit’s payload.

If you haven’t read it yet, bring yourself up to speed by reading part 1 of this series. It contains a lot of valuable information, as well as a description of our setup. We continue with the simple Poison Ivy exploit on Windows XP SP3. One more thing to note is that in this exploit we have quite a lot of stack space. Naturally, if that’s not the case with your exploit, you’ll need to wiggle a bit to make yourself some room.

As before, EMET is set up like this:

In this exploit, all we have to bypass is EAF.

Bypassing EMET’s EAF Without Using SEH

You may want to bypass EMET’s EAF, but you can’t use SEH. What are your options then?

  1. You can use SkyLined’s method of bypassing EAF by finding code in ntdll.dll that reads memory addresses (henceforth, the “memory reader”), and using it to access the EAT. EAF sees that the access comes from ntdll.dll, and approves it. Unfortunately, using this technique requires modifying Metasploit’s payload, contrary to the solution we’re looking for.
  2. You can use Piotr Bania’s method of bypassing EAF by using SetThreadContext to zero the debug registers. However, since we have the chicken and egg problem while trying to get SetThreadContext’s address, the proposed technique uses hardcoded system call values. Unfortunately, this is not generic, and so, we can’t use it as it is.

But what if we could take the best of both techniques? We could use SkyLined’s method to get the address of SetThreadContext, and then use Piotr Bania’s method to zero the debug registers. This will provide us with a generic way to bypass EAF without modifying the Metasploit payloads. We note here, that although Microsoft’s documentation might suggest otherwise, it’s ok to use SetThreadContext on a running thread if you just modify the debug registers.

As always, I didn’t bother optimizing the code – I leave it up to you. So without further ado, here it is:

So here’s the do_exploit function from Metasploit’s official Poison Ivy module:

And here’s the modified version that bypasses EMET’s EAF:

Let’s test it:

 

Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>