This talk will present a new disarming flaw that can be used to prevent all anti-ROP checks in EMET 5.5x from ever being performed. The disarming condition is caused by the fact that references to the read-only CONFIG_STRUCT are always retrieved from the process heap (which has a PAGE_READWRITE protection). This is obfuscated by the usage of DecodePointer throughout EMET.
Presentation Outline
Short introduction of EMET
Short introduction of info leak / RW-primitive requirement
Recap of Offensive Security research on disarming EMET 4.1 and 5.0 and how these disarms got fixed.
New disarming flaw identification
New disarming flaw exploitation
Purpose of EAF, what changed in EMET 5.5x and how to bypass it