Vulnerability Development mailing list archives
Re: Obfuscated shellcode
From: "Karma" <steve () frij com>
Date: Mon, 2 Feb 2004 10:19:22 +1100
Unless you are also testing for IDS and other detection devices, I dont see the point in changing NOPs, however, changing them from NOPS in an environment with IDS could really help identify weaknesses in signatures. No, EIP will still land in the new "NOP" section and execute until it reaches your payload, unless there is a bug of it comes to a null. So no it should make no difference to a (un)-patched system. Truth is, many cracking are done my kiddies, and they dont bother to alter the NOP population in their eggcode anyway. Many IDS's are deployed not only to match for NOPs but also to match for specific binary patterns such as CDh, 80h, unless you are also intending to XOR your payload. So IMO, its really up to your discretion. But I may have missed out on a few crucial points, but first, to get some form of sleep :( Cheers ----- Original Message ----- From: "Don Parker" <dparker () rigelksecurity com> To: <vuln-dev () securityfocus com> Sent: Monday, February 02, 2004 4:38 AM Subject: Obfuscated shellcode
Hello all, do any of you bother using obfuscated eggs during a pentest? I
ask here for I
got no responses elsewhere. Though changing the well known x90 sled to
some other 1 byte
function that won't affect the egg won't work against a patched service it
will, however
elude an IDS signature. Quite a few large corporations may get updated signatures relatively
quickly but, they
often do not patch for sometime due to baseline rollouts. Hence using an
obfuscated egg
to slip past the IDS. This technique is not new, but it is becoming more
well known.
There are some mitigaing factors here which could affect this such as
application layer
firewalls and the such. I would however be interested in your thoughts on
this. I have
not seem much discussion anywhere on this topic. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 --------------------------------------------
Current thread:
- Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)
- Re: Obfuscated shellcode Karma (Feb 01)
- RE: Obfuscated shellcode Bojan Zdrnja (Feb 01)
- <Possible follow-ups>
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)