EMET version 5 has been out for only a few months and Offensive Security has identified bypass methods:<\/p>\n
\nINTRODUCTION<\/h4>\n
In our previous Disarming Emet 4.x<\/a> blog post, we demonstrated how to disarm the ROP mitigations introduced in EMET 4.x by abusing a global variable in the .data<\/em> section located at a static offset. A general overview of the EMET 5 technical preview has been recently published here<\/a>. However, the release of the final version introduced several changes that mitigated our attack and we were curious to see how difficult it would be to adapt our previous disarming technique to this new version of EMET. In our research we targeted 32-bit systems and compared the results across different operating systems (Windows 7 SP1, Windows 2008 SP1, Windows 8, Windows 8.1, Windows XP SP3 and Windows 2003 SP2). We chose to use the IE8 ColspanID vulnerability<\/a> once again in order to maintain consistency through our research.<\/p>\n
ROP PROTECTIONS CONFIGURATION HARDENING<\/h4>\n
The very first thing that we noticed is that the global variable we exploited to disarm the ROP Protections (ROP-P) routine is not pointing directly to the ROP-P general switch anymore. This variable, which is now at offset 0x000aa84c<\/em> from the EMET.dll<\/em> base address, holds an encoded pointer to a structure of 0x560 bytes (See CONFIG_STRUCT<\/em> in Fig. 1). The ROP-P general switch is now located at CONFIG_STRUCT+0x558<\/em> (Fig. 1, Fig. 2)<\/p><\/blockquote>\n