Full Disclosure mailing list archives
Re: IDS or IPS detection and bypass
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 08 Aug 2005 15:16:19 -0500
On Mon, 2005-08-08 at 13:40 +0400, Ahmad N wrote:
I was trying to gain a reverse shell to a website the other day using a buffer overflow exploit, unfortunaetly it seems like they have some kind of buffer overflow exploit protection coming from and IDS or IPS
Or they just have the web server properly firewalled so that no outbound connections from the web server are allowed to the outside. No black-magic-IPS-fu required there. Instead of using a reverse shell, either have the exploit crash the web server and set up a listener on port 80 and use a forward shell, or better yet, use an inline-shell that re-uses the already established session you have with the web server. HTH, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IDS or IPS detection and bypass Ahmad N (Aug 08)
- Re: IDS or IPS detection and bypass Michael Holstein (Aug 08)
- Re: IDS or IPS detection and bypass Frank Knobbe (Aug 08)
- Re: IDS or IPS detection and bypass fd (Aug 08)
- Re: IDS or IPS detection and bypass Ivan . (Aug 09)