Enhanced Mitigation Experience Toolkit (EMET)

Forum for announcements and questions about tools and software.
User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Mon May 19, 2014 9:22 am

v.4.1 Update 1 (Release) [tool + MS PDF doc]
http://www.microsoft.com/en-us/download ... x?id=41138

v.5.0 Technical Preview [tool + MS PDF doc]
http://www.microsoft.com/en-us/download ... x?id=41963

Inside EMET 4.0 by MSRC (Elias Bachaalany)
http://recon.cx/2013/slides/Recon2013-E ... ET%204.pdf

EMET 4.1 Uncovered by Dabbadoo
http://0xdabbad00.com/wp-content/upload ... overed.pdf

Bypassing EMET v.4.1 by Bromium Labs
http://bromiumlabs.files.wordpress.com/ ... et-4-1.pdf

Announcing EMET 5.0 Technical Preview by MSRC
http://blogs.technet.com/b/srd/archive/ ... eview.aspx

EMET 4.0's Certificate Trust Feature by MSRC
http://blogs.technet.com/b/srd/archive/ ... ature.aspx

EMET, preventing the exploitation and unobvious settings [RU] by ESET Russia
http://habrahabr.ru/company/eset/blog/221129/

Exploits in targeted attacks vs. EMET in 2013 by Andreas Lindh
https://twitter.com/addelindh/status/464761124173668352

EMET vs. CVE-2014-1776 by MSRC
http://blogs.technet.com/b/srd/archive/ ... -0day.aspx

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Fri Aug 01, 2014 10:58 am


User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Sat Mar 21, 2015 5:21 pm


User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Sat Mar 21, 2015 5:22 pm


spqr
Posts: 1
Joined: Wed Mar 25, 2015 10:39 am

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by spqr » Wed Mar 25, 2015 11:07 am

If the OS is CFG-aware, the disarming technique described above is equally applicable or you need a further step?

Juggl3r
Posts: 4
Joined: Fri Apr 03, 2015 1:37 pm

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by Juggl3r » Fri Apr 03, 2015 1:55 pm

Hello,
you can find my research to the topic at:
https://www.youtube.com/watch?v=_OM88DTs56k
Slides:
https://prezi.com/sz34ptcpz0vn/

When EMET 5.2 was released I had a very quick look at it. Basically all my exploits worked without any modifications.
The only think which should change stuff is CFG. Only EMET.dll (which gets injected into all protected applications) is now compiled with CFG support.
That means that indirect calls are now checked. E.g. if we have "call eax" eax will be verified to point a whitelisted location.
However, I didn't had an in-depth look at the stuff because everything worked without a modification.
In my slides I mention that I'm using a "call eax" gadget to bypass caller/simexec flow from EMET.dll. This ensures maximum reliability but the address must be specified for all EMET versions.
You can also use a "call eax" from the application itself instead (e.g. mozjs.dll in my case of firefox). Since I'm using the "call eax" from firefox and not from the protected EMET.dll file CFG will change nothing.
That's why my exploit still works (I only had to modify the code which finds the start of EMET.dll which was 1 LoC).

So from my point of view there is no additional security, you just have to use the "call r32" from the app instead.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Mon Apr 11, 2016 10:37 am

Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available (2 feb, 2016)

[+] Windows 10 compatibility
[+] Improved configuration of various mitigations via GPO
[+] Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO
[+] EAF/EAF+ pseudo-mitigation performance improvements
[+] Support for untrusted fonts mitigation in Windows 10

https://blogs.technet.microsoft.com/srd ... available/
Download: https://www.microsoft.com/en-us/downloa ... x?id=50766

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Mon Apr 11, 2016 10:38 am


User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Enhanced Mitigation Experience Toolkit (EMET)

Post by rkhunter » Mon Sep 26, 2016 2:37 pm



Post Reply