Advanced Code-Reuse Attacks with Jump-Oriented Programming

by Black Hat Middle East and Africa
on
Advanced Code-Reuse Attacks with Jump-Oriented Programming

Abstract

Shellcode is often used as a means to achieve arbitrary execution. In Windows, this involves the use of WinAPI functions or Windows sycalls. Historically, an end goal of much of exploitation has been to bypass Data Execution Prevention (DEP) and to prepare the process memory of a binary to such a state that shellcode could be executed. Jump-Oriented Programming (JOP) is a seldom studied form of advanced code-reuse attacks, very different from return-oriented programming (ROP). JOP identifies snippets of code ending in an indirect jump or indirect call (gadgets), and these are chained together to construct exploits. In this paper, we propose and implement shellcodeless JOP attacks. This provides an alternative means of achieving identical functionality to what is done in shellcode, but without the need to bypass DEP. In this paper, we present the design and implementation of shellcodeless JOP, providing a new technique that red teams can use in exploits. In ideal circumstances, our shellcodeless JOP technique can allow for complex shellcode-like functionality to be achieved with ease or with only a relatively small amount of space required for the payload.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles

ShellWasp and Offensive Usage of Windows Syscalls in Shellcode

ShellWasp and Offensive Usage of Windows Syscalls in Shellcode

While syscalls and Windows have exploded in popularity, permitting offensive security tools to weaponize direct Windows syscalls to avoid EDR, they have virtually never been utilized in the context of shellcode, except for Egghunters, a specialized shellcode that uses only one syscall.

Read More