Agafi (Advanced Gadget Finder)

Agafi (Advanced Gadget Finder)

Thursday, October 30, 2014
Nicolás Economou

The appearance of the Intel's CPU NX bit and the use of this by current operating systems created a before and an after in binary bugs exploitation way.

Over time, the DATA direct execution was dying and replaced by DEP (Data Execution Prevention), forcing to improve the exploitation techniques used so far.

Nowadays, it's not possible to take control of modern applications without using ROP (Returned Oriented Programming). ROP uses GADGETS (usually, little group of instructions) that not always can be detected by primitive gadget-finders (the most).

The evolution of the SEHs exploitation way plus the use of the gadgets could be a good example of this:
First-generation exploits (DEP disabled):
"pop REG"
"pop REG"

Second-generation exploits (DEP enabled):
"mov REG,[ebp+0xc]"
"mov [esp],REG"
"call dword [REG+0x8]"

I this presentation I'm going to show you a recently developed tool, that using:
- QEMU (CPU/MMU) for x86
- Taint Analysis
- A process snapshot
- Finding by objective

It's able to find, through CODE EMULATION, all existance gadgets in a process memory space.

At the second part, I'll show you a rop-chainer tool and the heuristics used to generate ROP-CHAINS including a variant of the PUSHAD/RET technique.