Re: Lame: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDS

[<ld () insomniac ath cx>]

The whitepaper focuses mostly on detecting the NOP sled.  It recomends
looking for about 50 to 60 in a row to limit the number of false positives.
They talk about using NOP as well as 1 byte instructions like push %eax, inc
%eax, etc. for the NOP sled but this isn't what we are limited too.  We can
use something like: mov $0x41414141, %ebx  in hex thats  bb41414141.  If you
hit at the start of the instruction it does the mov if you miss the start and
land in the middle it does an inc %ecx until you hit the next mov, then its
mov's until you reach the shellcode.  If crashing the program isn't a problem
then you can use something like cmp    $0x495b5046,%edx or 81fa46505b49.  If
you land right on it, you get the cmp, if you miss it by one its cli which will
crash. Anything after that is a one byte operation: inc %esi, push %eax, pop
%ebx, dec %ecx.  If you make 96 bytes of this and are trying to brute force the
address then you add like 93 to the address then one then 93 then one.....
That way you make sure if it  lands on the cli instruction then when you
add 1 you will land on a good instruction.  I didn't research this much, it
just came to mind when thinking of ways to avoid their detection.  They might
have thought of this and detected it but from reading the whitepaper it didn't
sound like it.

lockdown

(reply-to: sweasel18 () aol com)