Project Slot 1 - Improving Pwnypot

Student: Ruoyu Wang (CN)
Primary mentor: Georg Wicherski (DE)
Backup mentor: Jamie Riden (UK), supported by supported by Shahriyar Jalayeri and Adel Karimi

Google Melange: https://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/ltfish/1

Project Overview:
This project is about the improvement of MCEDP (a.k.a. Pwnypot). It aims to enhance ROP detection features in MCEDP, amd make it harder to be bypassed.

Project Plan:

  • May 27th - June 17th: Community Bonding Period
  • June 17th : GSoC 2013 coding officially starts
  • Week 1. June 17th - June 23th
    • Start working on the system call hooking module under Windows 7 32-bit
  • Week 2. June 24th - June 30th
    • Finish the system call hooking module under Windows 7 32-bit
    • Work on a workable exploit of MS12-043 under Windows XP
    • Fix the problem that MCEDP DLL injection does not work under XP
  • Week 3. July 1st - July 7th
  • * I'll be at SecuInside finals from July 1 to July 4

    • Implement the system call hooking module under Windows 7 WOW64 mode. It shouldn't be that hard as it does not involves a driver
    • Finish the function of searching critical function addresses on the stack
  • Week 4. July 8th - July 14th
    • Add support of system call hooking of Windows XP SP2/SP3 32-bit
    • Integrate the system call hooking module with Pwnypot
    • Implement some other functions of ROPGuard:
      1. # Checking the target address of returning and see if there is a call instruction preceeding to that address
      2. # Conducting checks against critical API calls and critical system calls, e.g. ZwAllocateVirtualMemory, ZwCreateProcess, etc.
    • Try to port the exploit of MS12-043 to Windows 7
  • Week 5. July 15th - July 21st
    • Start implementing the execution-flow simulating approach mentioned in ROPGuard
    • Gather some high-quality IE exploits and implement MCEDP-bypassing approaches on them
  • Week 6. July 22nd - July 28th
    • Finish implementing the execution-flow simulating approach
    • Test previous codes
    • Write blogpost for midterm evaluation
  • July 29th
    • Midterm evaluation
  • Week 7 & 8. July 29th - August 11th
  • # *Hopefully* I'll be at DEF CON CTF from August 1st to August 5th

    • Run Pwnypot against those workable IE exploits and test it
    • Prepare a set of program prototypes that are vulnerable to ROP attacks
    • If possible, collect a series of ROP-related exploits from other sources
    • Improve the ROP detection approach based on existing exploits
  • Week 9 & 10. August 12th - August 25th
  • # *Hopefully* I'll be at USENIX Security from August 12th to August 16th

    • Continuing in tests. We need further discussion on that
    • Improve the ROP gadgets dumping approach
    • TBD: Implement the support of outputting logs to Windows Event log
  • Week 11 & 12. August 26th - September 6th
    • Documentation work: improvements, how-tos
    • Write final blogposts
    • Make all codes neat and clean

    Project Source Code Repository:
    Please click here for Pwnypot, and here for the PwnypotDrv (which is deprecated, at least for now).

    Student Weekly Blog:
    Click me

    Project Useful Links: