While EMET 5.2 may only be about a week old, there is already information about one way tor bypassing one of EMET’s security protection methods.
r41p41 posted information about ROP bypass in the latest EMET version, 5.2.
TLDR: EMET 5.2 can be bypassed with ease by jumping past its hooks using simple ROP
19th March 2015 Addition: I’ve bypassed EMET’s protections with generic ROP too, no need to specifically target now. However i am not releasing the POC.
Only effective bypass up until now for EMET was the one which offensive security guys did.
offsec EMET 5.1
I was trying the same approach before, but since the arrival of EMET 5.2 it was only a matter of time before someone reverse engineered EMET’s internal structures and found out a bypass. My time was both limited and valuable, So i jumped right into it. Upon watching ollydbg’s memory mapping, i saw TONS of page guards in memory.
Something told me this approach would only end in sophistication.
and i changed my approach thus manually began browsing EMET’s hook handler.
ConclusionEMET fights tough, more than any public exploit mitigation solution out there. A lot tougher than MBAE and enterprise exploit detection products.But if we get to study the system, its only a matter of time.
Addition: On March 19th 2015, i managed to bypass EMET’s protections using GENERIC rop. So even if emet exists or not in the system the exploit works fully. However due to its more negative use than positive, i am not releasing the code. Icing on the top, this bypasses all of the enterprise exploit mitigation toolkits i’ve got my hands on. A small explanation is blogged here.
Read more on Defeating EMET 5.2
(Note: There is language some may find offensive.)