Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Collision Course - Unveiling some IPS/IDS weakness!

From: "Nelson Brito" <nbrito () sekure org>
Date: Sat, 20 Sep 2008 00:34:16 -0300
Hello, mates.

Long time I don't submit any new code or even results of any research, so
here is... This is ENG (Encore Next Generation), using unpublished morphic
techniques to write "unpredictable" exploit codes...

It uses a pretty old vulnerability (MS02-039 - Credits to David Litchfield),
and the only reason I'm putting this available is to proof that an exploit
can be written using automation techniques trying to be unpredictable.
AFAIK, this technique can be applied in any/some exploitation.

Of course I took some good stuffs off, and will keep them just for friends.

I was supposing to send a good paper on that subject next December, right
after the H2HC, but I don't have patience and this technique is probably
something already presented and it is not brand new, sorry. :D

I think that the idea is in the code, so take a careful look at the code and
I promise you will understand the technique.

The Collision Course Project has two main codes:
- NNG (Numb Next Generation): a false-positive tool targeting the same
vulnerability, and it is available @ PacketStorm, btw, thanks Todd for
adding it (http://www.packetstormsecurity.nl/UNIX/IDS/nng-4.13r-public.rar).
- ENG (Encore Next Generation): a false-negative (morphic) tool.

Using both of them to test IPS/IDS is a good way to check the capability of
the detection technology and should help you to understand why attackers can
break-in your network. I promise you: You will be surprised with the results
of the combinations you can do using NNG and ENG. I'm not kidding!!!

PS: I take no responsibility of any damage caused by misuse of these two
codes, so take care on your own acts!

Credits:
- Alpha2.c by Berend-Jan Wever
- NOP Injection in Alpha shellcode first mention by Matt Conover
- OpcodeDB by HD Moore
- MS02-039 by David Litchfield
- PacketStorm by Todd

[*] You are not allowed to add any technique used in this tool in any
commercial tool. ;)

Best regards.

Nelson Brito
IT Security Professional

{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}$0;

Attachment: eng-4.23-public.rar
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: