Vulnerability Development mailing list archives
Re: Obfuscated shellcode
From: "Don Parker" <dparker () rigelksecurity com>
Date: Sun, 1 Feb 2004 18:45:41 -0500 (EST)
Hello Karma, well yes part of it is to prove to a client to not solely rely on their IDS blindly :-) Not all clients have a structured/layered defence in place. Part of this is by showing them that unless they get the patch rolled out immediately plus update their signatures then they are gonna get a world of hurt. A fair amount of large corporate/gov entities though don't push out their patches, signatures in a timely manner though. Indeed, as you mentioned changing the NOOP sled is only part of it. If you throw in XOR then again it is a different ball game once again. I also mentioned that I happen to know quite a few signatures from major vendors. I have found them to be lacking to say the least. To do the job properly of defending requires in-house talent that can game out exploits and their various variants. That though is often viewed as costly. In reality it is not, as many of us realize. You also need someone manning the IDS that will recongnize anomlous traffic when they see it. Thanks for your comments :-) Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 2 , "Karma" <steve () frij com> wrote: Unless you are also testing for IDS and other detection devices, I dont see the point in changing NOPs, however, changing them from NOPS in an environment with IDS could really help identify weaknesses in signatures. No, EIP will still land in the new "NOP" section and execute until it reaches your payload, unless there is a bug of it comes to a null. So no it should make no difference to a (un)-patched system. Truth is, many cracking are done my kiddies, and they dont bother to alter the NOP population in their eggcode anyway. Many IDS's are deployed not only to match for NOPs but also to match for specific binary patterns such as CDh, 80h, unless you are also intending to XOR your payload. So IMO, its really up to your discretion. But I may have missed out on a few crucial points, but first, to get some form of sleep :( Cheers ----- Original Message ----- From: "Don Parker" <dparker () rigelksecurity com> To: <vuln-dev () securityfocus com> Sent: Monday, February 02, 2004 4:38 AM Subject: Obfuscated shellcode
Hello all, do any of you bother using obfuscated eggs during a pentest? I
ask here for I
got no responses elsewhere. Though changing the well known x90 sled to
some other 1 byte
function that won't affect the egg won't work against a patched service it
will, however
elude an IDS signature. Quite a few large corporations may get updated signatures relatively
quickly but, they
often do not patch for sometime due to baseline rollouts. Hence using an
obfuscated egg
to slip past the IDS. This technique is not new, but it is becoming more
well known.
There are some mitigaing factors here which could affect this such as
application layer
firewalls and the such. I would however be interested in your thoughts on
this. I have
not seem much discussion anywhere on this topic. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 --------------------------------------------
Current thread:
- Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)
- Re: Obfuscated shellcode Karma (Feb 01)
- RE: Obfuscated shellcode Bojan Zdrnja (Feb 01)
- <Possible follow-ups>
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)