Agafi (Advanced Gadget Finder)

The appearance of the Intel's CPU NX bit and the use of this by current operating systems created a before and an after in binary bugs exploitation way.

Over time, the DATA direct execution was dying and replaced by DEP (Data Execution Prevention), forcing to improve the exploitation techniques used so far.

Nowadays, it's not possible to take control of modern applications without using ROP (Returned Oriented Programming). ROP uses GADGETS (usually, little group of instructions) that not always can be detected by primitive gadget-finders (the most).

The evolution of the SEHs exploitation way plus the use of the gadgets could be a good example of this:
First-generation exploits (DEP disabled):
"pop REG"
"pop REG"
"ret" <--- Stack address

Second-generation exploits (DEP enabled):
"mov REG,[ebp+0xc]"
"mov [esp],REG"
"call dword [REG+0x8]" <--- Stack Pivoting address

In this presentation I'm going to show you a recently developed tool, that using:
- QEMU (CPU/MMU) for x86
- Taint Analysis
- A process snapshot
- Finding by objective

It's able to find, through CODE EMULATION, all existance gadgets in a process memory space.

At the second part, I'll show you a rop-chainer tool and the heuristics used to generate ROP-CHAINS including a variant of the PUSHAD/RET technique.

View Slides