Vulnerability Development mailing list archives
Re: Obfuscated shellcode
From: Aaron Turner <aturner () pobox com>
Date: Sun, 1 Feb 2004 13:09:22 -0800
Sounds like a reason not to use these "major vendors". I know not all vendors write signatures that are so easy to avoid and a number of them have made it possible to roll out new signatures to tens or even hundreds of signatures with a single click. Basically, what I'm saying is that not all vendors have these issues, and if they're important to you, then it would be worth your time to research which vendors do it better. As for obfuscated NOOP's and shell code, look at ADMmutate which makes shell code polymorphic and static signatures which rely on the shell code and NOOP's pretty ineffective. http://www.ktwo.ca/security.html Regards, Aaron On Sun, Feb 01, 2004 at 04:57:50PM -0500, Don Parker wrote:
Hi Aaron, well agreed any IDS worth it's salt will detect a NOOP sled. I have however seen the signatures firsthand of some major vendors and they all go for very generic stuff such as the NOOP times n amount, and perhaps port matching. That is it, literally. Also drawing on my work with some large entities I know firsthand that the rollout of some patches can be very slow, thereby leaving open a large window of opportunity for a munged egg to get through. Hence my question on using an obfuscated egg to slip past the IDS.
Attachment:
_bin
Description:
Current thread:
- Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)
- Re: Obfuscated shellcode Karma (Feb 01)
- RE: Obfuscated shellcode Bojan Zdrnja (Feb 01)
- <Possible follow-ups>
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)