JOP ROCKET: Bypassing DEP with Jump-Oriented Programming

Much focus has been on Return-oriented Programming, or ROP, with respect to code-reuse attacks, to the extent that many assume code-reuse attacks is just another word for ROP. However, we also have Jump-oriented Programming, or JOP. Until recently JOP, was a footnote, seldom referenced or used, barely introduced in the academic literature in the early 2010s and then mostly ignored and not discussed. There were even claims fairly recently that JOP had never been done in the wild, although it actually had been, only very rarely. Until recently, there was never so much as a viable, actual working demo on how to do JOP in a modern Windows environment or really any environment. Thus, JOP was like a phantom, out there lurking the shadows, but not really done.

JOP ROCKET was released by Brizendine, stemming from his doctoral dissertation, and it helps provide the ability to produce JOP gadgets, each broken down into many different categories. JOP ROCKET is the first utility to discover dispatcher gadgets, which are required to do an exploit entirely without the use of ROP. With dispatcher gadgets and JOP gadgets, we can entirely avoid the use of the stack for control flow purposes. In late 2020, JOP ROCKET released support for the automatic construction of totally complete JOP gadget chains in Python. The automated JOP chain construction involves a novel form of JOP, although it still uses the dispatcher gadget. The JOP ROCKET can now produce complete JOP gadget chains for VirtualProtect and VirtualAlloc.

It is possible to do a JOP exploit entirely without the use of a single RET. While JOP is similar to ROP in some ways, in that both utilize gadgets consisting of borrowed chunks of code, there are also very significant differences in JOP. For instance, we can completely avoid using the stack for control flow purposes with JOP, instead using a dispatcher gadget and dispatch table. We would only use the stack to set up calls to Windows APIs, such as VirtualAlloc or VirtualProtect, that might be used to help bypass DEP. While much has been written about ROP, very little of actual practical value has been written about JOP. Brizendine and Babcock have explored the fundamental nature of JOP extensively, discovering the various nuances and gotcha’s of constructing JOP exploits. Much of what they have discovered has never been documented anywhere else before.

In a modern, Windows 10 environment, CFG can provide defense against JOP. However, this is not true for binaries that were compiled with CFG; those that were not, provide no defense against JOP. As with some simple ASLR bypasses, even if CFG is used, it can be possible to use a non-CFG module or DLL. Windows 7 also does not provide CFG. Thus, while in some cases defense against JOP is possible, this is not always the case.

This talk will be a deep dive into Jump-Oriented Programming fundamentals and the JOP ROCKET. The presentation will introduce code-reuse attacks briefly, giving a short refresher on ROP. Then we will introduce the JOP ROCKET and Jump-oriented Programming. We will discuss how to use the JOP ROCKET to find JOP gadgets, to manually craft a sophisticated JOP exploit chain, allowing for bypass of DEP and/or ASLR. In the process, we will provide detailed discussion of the many nuances and gotcha’s of JOP. We will also explore how to use the JOP ROCKET to automatically generate a Python script of a complete JOP exploit, to bypass VirtualAlloc or VirtualProtect. We will provide two demos of JOP – one using a manual approach to craft a more challenging JOP exploit chain, and another by using the prebuilt JOP chain.

Location: Track 1 Date: May 27, 2021 Time: 11:30 am - 12:30 pm Bramwell Brizendine Austin Babcock