Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 10:20 a.m. (40 minutes)

ROP has become virtually synonymous with code-reuse attacks in exploit development, but the reality is there is another way: Jump-oriented Programming (JOP). Until recently, there were no dedicated tools to do JOP, unlike with ROP, which has many excellent tools, such as Mona and ROPgadget. In fact, there were even claims that JOP had never been done in the wild (not true). There is virtually no practical information on how to perform JOP, and it would have been a monumental effort to do pure JOP, without a dedicated tool. Thus, JOP was a phantom, lurking in the shadows, unknown.

Times have changed; JOP is now possible with the new JOP ROCKET, a reverse engineering and exploitation framework for JOP developed by Brizendine as part of his doctoral dissertation research. With the latest version of JOP ROCKET, the tool can now produce a pre-built JOP chain, which under ideal circumstances, can work with minimal user modification. With JOP ROCKET, you can develop a JOP exploit that, similar to ROP, allows for the bypass of Data Execution Prevention (DEP), or other mitigations such as ASLR; we show both in demo.

This talk serves to bring this previously arcane, esoteric knowledge of JOP to the people. It introduces the challenging, technical details of how to perform JOP exploits. The talk focuses heavily on giving examples and demos of JOP exploits, and explaining the many nuances. While JOP is similar to ROP, it is also extremely different, and there are many non-obvious gotcha's. JOP is a challenging, non-trivial code-reuse attack, seldom discussed, and this talk teaches people how to use it with the JOP ROCKET.

Our major update is the prebuilt JOP chain to bypass DEP with VirtualProtect() or VirtualAlloc(). While JOP exploit development can be challenging, this pre-built JOP chain simplifies the process.

Presenters:

• Austin Babcock - Security Researcher, VERONA Lab
  Austin Babcock is pursuing his Master's in Computer Science at Dakota State University, where he works as a security researcher at VERONA Lab under Dr. Bramwell Brizendine. Austin has extensively studied code-reuse attacks, doing research into the fundamentals of Jump-oriented Programming (JOP) in the Windows environment, in addition to developing JOP exploits. Austin also currently works at VERONA Lab with Dr. Brizendine on developing a shellcode analysis framework that is supported by an NSA grant.
• Bramwell Brizendine - Assistant Professor of Computer and Cyber Sciences, Dakota Stata University
  Dr. Bramwell Brizendine completed his PhD in Cyber Operations recently, where he did his dissertation on Jump-Oriented Programming, a hitherto, seldom-studied and poorly understood subset of code-reused attacks. Bramwell developed a fully-featured tool that helps facilitate JOP exploit development, the JOP ROCKET. Bramwell is the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab), specializing in vulnerability research, software exploitation, software security assessments, and the development of new, cutting-edge tools and techniques with respect to software exploitation. Bramwell also teaches undergraduate, graduate, and doctoral level courses in software exploitation, reverse engineering, malware analysis, and offensive security at Dakota State University.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#pre-built-jop-chains-with-the-jop-rocket-bypassing-dep-without-rop-22320

Similar Presentations:

• DEF CON 27 (2019) / The JOP ROCKET: A Supremely Wicked Tool for JOP Gadget Discovery, or What to Do If ROP Is Too Easy
• DEF CON 27 (2019) / HackPac: Hacking Pointer Authentication in iOS User Space
• SOURCE Seattle 2016 / At the Dawn of CET: Hunting Valid Gadget with Big Data