Vulnerability Development mailing list archives
Re: Obfuscated shellcode
From: Aaron Turner <aturner () pobox com>
Date: Sun, 1 Feb 2004 12:29:49 -0800
Don, While most IDS's will detect a NOOP sled, any IDS worth it's salt which has a signature for an exploit won't rely on it. Rather it will use something unique to the exploit which can't (at least easily) changed to avoid detection. Also, in my experiance most corporations update their signatures about as often as feasible (a combination of how often the IDS vendor updates the signatures and how easy it is to push the update to the sensors). Any organization which isn't using the latest signature set is wasting their effort and $$$. Ie, if you have to carefully manage your signature set and delay updating your sensors because things might horribly break without a way to manage that risk, then you should find another IDS vendor. -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin All emails are PGP signed; a lack of a signature indicates a forgery. On Sun, Feb 01, 2004 at 12:38:32PM -0500, Don Parker wrote:
Hello all, do any of you bother using obfuscated eggs during a pentest? I ask here for I got no responses elsewhere. Though changing the well known x90 sled to some other 1 byte function that won't affect the egg won't work against a patched service it will, however elude an IDS signature. Quite a few large corporations may get updated signatures relatively quickly but, they often do not patch for sometime due to baseline rollouts. Hence using an obfuscated egg to slip past the IDS. This technique is not new, but it is becoming more well known. There are some mitigaing factors here which could affect this such as application layer firewalls and the such. I would however be interested in your thoughts on this. I have not seem much discussion anywhere on this topic.
Attachment:
_bin
Description:
Current thread:
- Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)
- Re: Obfuscated shellcode Karma (Feb 01)
- RE: Obfuscated shellcode Bojan Zdrnja (Feb 01)
- <Possible follow-ups>
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)