Penetration Testing mailing list archives
HIPS Buffer Overflow Protection - Bypass
From: bart () packetjunkie com
Date: Tue, 14 Nov 2006 15:20:22 -0700
List, I've recently been testing some HIPS products to guage their effectiveness against different exploits and stumbled on something a little strange yesterday. Everything I launched against one of the products (to remain anonymous) was picked up either by the signature based prevention or its generic buffer overflow protection. I was almost ready to hang it up and then I decided to change up some of the payloads in the attacks to see if that would make a difference. I launched the ms06-040 exploit against an unpatched Win2K Server SP4 system using Metasploit 3.0. Every payload I tried was caught, EXCEPT for the windows/adduser payload. After runnning the exploit with this payload, an account was successfully created on the system with administrator privileges. It worked like a charm. My question to all of you is basically, why would this product detect and prevent all of the other payloads used with this exploit except for this one? Would it be because of the size (adduser payload is smaller than say the bind_tcp payload) or something else? Could it be that since the product did not have a signature for that specific exploit, and it relied on the buffer overflow protection piece, the exploit ran, and when it came time for the shellcode to run, it did not detect it as "foreign" or not authorized? I don't want to have to say which product this was, but I will say that I will be trying this exact vector on the next few I try and will post an update if they too allow this to happen. It just confuses me as to why a certain shellcode is allowed to execute and others would not be. Any help would be great. I'm just trying to satisfy my own curiosity here and see if maybe there's something a little deeper that I may have stumbled on. Thanks. - Bart ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- HIPS Buffer Overflow Protection - Bypass bart (Nov 14)
- <Possible follow-ups>
- Re: HIPS Buffer Overflow Protection - Bypass dfullerton (Nov 15)
- Re: HIPS Buffer Overflow Protection - Bypass Sanjay R (Nov 15)