Dailydave mailing list archives
Re: We have met the enemy, and the enemy is ... you.
From: TINNES Julien RD-MAPS-ISS <julien.tinnes () francetelecom com>
Date: Thu, 13 Apr 2006 11:14:26 +0200
Sounds like a neat system; I guess anything that makes exploits harder is good. I wonder if anyone's done any work into whether it's possible to write generic exploits to bypass most of the popular HIPS in a single exploit - not that the attacker necessarily needs to. It'd be good to know which combinations of NIPS/HIPS are most troublesome for exploit writers, and why.
It is definitely possible to write generic exploits that will bypass a lot of HIPS, at least the behavioral analysis part. This is especially true for HIPS installed in big companies (where there are big constraints that the HIPS does'nt break anything and has not much impact on performances). Most of the time, once you've got arbitrary code execution (a lot of HIPS will let you do that) you can VirtualAlloc, copy your shellcode then VirtualProtect without write permission and run your shellcode from there. Yoann Guillot has found out that this technique works quite well, probably because the HIPS needs to allow dynamic code generation. So your only problem is to call VirtualAlloc/Protect without beeing detected, which is quite easy by proxying return from those functions through existing code to defeat stack backtracking. Take a look at SLIPFEST [1], you may be surprised at how many HIPS are fooled by the "call reg.ret" shellcode. The "access control" part is sometimes much better, but requires a tuned policy file. [1] http://slipfest.cr0.org -- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
Current thread:
- We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 10)
- <Possible follow-ups>
- RE: We have met the enemy, and the enemy is ... you. Kyle Quest (Apr 10)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. TINNES Julien RD-MAPS-ISS (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. Knape, Joe (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Joel Eriksson (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. toby (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 12)