Wild West Hackin' Fest 2020 - Deadwood

When exploited are developed from scratch, in a modern Windows system you often must use code-reuse attacks, Return-oriented Programming (ROP), as a means to overcome certain mitigations, such as Data Execution Prevention (DEP), to make it possible to execute shellcode; ROP is in a sense, a necessary evil to move forward. ROP is well established and requires the use of specialized tools, such as Mona, in order to discover ROP gadgets. However, another code-reuse attack paradigm is possible: Jump-Oriented Programming (JOP). While JOP is similar to ROP, but it is also very different in many significant ways. While ROP is well known and frequently used, most exploit developers have never heard of JOP, or have only passing familiarity. In some academic literature, there were claims that JOP had NEVER been done in the wild. That was false, it has been, but there were just a handful of times where it was known to have done so. What made JOP totally infeasible, to a large extent, was the fact that there was no dedicated tool to help facilitate JOP, unlike with ROP.  Moreover, the information on how to actually do JOP was extremely limited, with some academic journal articles providing scant, highly imited discussion. There was absolutely no practical information on how to actually do JOP in a Windows environment. All of these made it very challenging to do JOP.

All this changed in 2019, when Dr. Brizendine created and released the JOP ROCKET, providing a tool that makes JOP feasible, and providing guidance on how to use JOP in a Windows environment.

Make no mistake about it--JOP is an elite alternative to ROP, and it is not for the faint of heart. If you are looking to push and challenge yourself, then you owe it to yourself to learn about JOP. In this talk, we will first introduce code-reuse attacks, providing some background on both ROP as well as JOP. Then we will focus discussion on the new JOP ROCKET, an exploitation tool created right here in South Dakota. From there, we will get into the nitty-gritty of JOP exploit development in a Windows environment, walking people through the steps, explaining the various complex nuances and gotcha's (and there are many). This talk will also include a working JOP demo, which will provide a walk-through on how to do JOP with a sample exploit. We will even provide a special JOP exploit challenge for attendees that wish to try it on their own!

This talk is very empowering, as attendees will challenge themselves and learn about a new type of code-reuse attack that they have likely never encountered. Key takeaways are that they will be excited to go challenge themselves by trying to do JOP in an exploit, and they will be empowered because they have knowledge to start mastering one of the esoteric, dark arts of software exploitation. It truly is liberating to see with JOP and low-level exploitation, how we are limited only by our imagination, to rise up and do things we may have never dreamed possible.