Last-minute paper: The ROP pack

Kurt Baumgartner Kaspersky Lab

  download slides (PDF)

In addition to automated social engineering techniques, exploit packs continue to be the rage for mass exploitation across the Internet. It is easy to estimate that millions of Internet users have visited sites hosting exploit pack generated web pages. A long list of packs have come and gone over the past handful of years, leaving behind a few of the most popular like Eleonore, Phoenix, and the Siberia exploit packs.

We will dissect these packs, examine and compare their characteristics and effectiveness and how they have changed this past year, focusing most on recent ITW installations and events. A long list of characteristics will be presented for this underground phenomenon: pricing models, development challenges, implementation, exploits, low-level technical details of the shellcoding, and, some of the payloads themselves.

The market for these packs is reactive and changing, which leads to a number of interesting questions: How easy is it to identify the presence of one kit versus another on the web? Is attribution easy (while not necessarily our job or interest, we will provide an example)? How is the market affected by Windows 7, DEP and ASLR? Is the shellcode simply copy/pasted from other projects or is it developed privately? How long of a window of opportunity do their exploits have to be effective? And finally, are there any advanced shellcoding or programming techniques in the current kits? This time, the answer is yes, some of the coders found Metasploit inadequate to serving their cross-OS exploitation needs, and developed similar, but improved ROP techniques. While ROP shellcoding techniques were considered to be too new by the researchers presenting at Black Hat USA to be ITW, we find that ROP shellcoding was developed and delivered to even the commodity exploit packs in mid to late summer this year. We will examine and present these ITW techniques present in the resurrection of one particular exploit pack.

At the time of this abstract's submission, an offensive security group begins its month of undisclosed bugs, releasing zero-day proof-of-concepts effectively attacking services on Windows 2008 SP1 with DEP 'alwayson'. We will monitor this event and ROP code to identify its inclusion in ITW packs and malware.

It's something that Lil Wayne and Jay-Z might not participate in, but rop isn't quite rap.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.