Metasploit mailing list archives
mcafee Entercept
From: hdm at metasploit.com (H D Moore)
Date: Tue, 30 Oct 2007 10:42:18 -0500
There are a ton of ways to get around HIPS products like these, unfortunately, as soon as we include them, the vendors will detect the new method and work around it. Copying the shellcode to a different segment before executing it bypasses a large chunk of these products (they look for LoadLibrary with a return address on the stack, etc). If you want a quick and dirty way to test this, set the 'Prepend' of the chosen exploit to an assembly stub that copies the shellcode to a "good" page (the .data of a DLL, some random memory mapping, etc). A really good tool for testing HIPS implementations is SLIPFEST: http://slipfest.cr0.org/ -HD On Tuesday 30 October 2007, Weston, David G. wrote:
There's a paper in Phrack 62 about evading third party buffer overflow protection and I have had some success with the technique of using a return address in the process space marked read-only for the final stack frame but does anyone having tricks to add
Current thread:
- Problem with Apache Win32 Chunked Encoding bluefoxy (Oct 30)
- Problem with Apache Win32 Chunked Encoding Rhys Kidd (Oct 30)
- Problem with Apache Win32 Chunked Encoding bluefoxy (Oct 30)
- Problem with Apache Win32 Chunked Encoding Rhys Kidd (Oct 30)
- Problem with Apache Win32 Chunked Encoding bluefoxy (Oct 30)
- mcafee Entercept Weston, David G. (Oct 30)
- mcafee Entercept H D Moore (Oct 30)
- Problem with Apache Win32 Chunked Encoding Patrick Webster (Oct 30)
- Problem with Apache Win32 Chunked Encoding Mr Gabriel (Oct 31)
- Problem with Apache Win32 Chunked Encoding bluefoxy (Nov 01)
- Problem with Apache Win32 Chunked Encoding Kurt Grutzmacher (Nov 01)
- Problem with Apache Win32 Chunked Encoding Patrick Webster (Nov 01)
- Problem with Apache Win32 Chunked Encoding bluefoxy (Oct 30)
- Problem with Apache Win32 Chunked Encoding Rhys Kidd (Oct 30)