Re: Obfuscated shellcode

["Don Parker" <dparker () rigelksecurity com>]

Hello Karma, well yes part of it is to prove to a client to not solely rely on their IDS 
blindly :-) Not all clients have a structured/layered defence in place. Part of this is 
by showing them that unless they get the patch rolled out immediately plus update their 
signatures then they are gonna get a world of hurt. A fair amount of large corporate/gov
entities though don't push out their patches, signatures in a timely manner though. 

Indeed, as you mentioned changing the NOOP sled is only part of it. If you throw in XOR 
then again it is a different ball game once again. I also mentioned that I happen to 
know quite a few signatures from major vendors. I have found them to be lacking to say 
the least. To do the job properly of defending requires in-house talent that can game 
out exploits and their various variants. That though is often viewed as costly. In 
reality it is not, as many of us realize. You also need someone manning the IDS that 
will recongnize anomlous traffic when they see it. Thanks for your comments :-)

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 2 , "Karma" <steve () frij com> wrote:

Unless you are also testing for IDS and other detection devices, I dont see
the point in changing NOPs, however, changing them from NOPS in an
environment with IDS could really help identify weaknesses in signatures.

No, EIP will still land in the new "NOP" section and execute until it
reaches your payload, unless there is a bug of it comes to a null. So no it
should make no difference to a (un)-patched system.

Truth is, many cracking are done my kiddies, and they dont bother to alter
the NOP population in their eggcode anyway. Many IDS's are deployed not only
to match for NOPs but also to match for specific binary patterns such as
CDh, 80h, unless you are also intending to XOR your payload. So IMO, its
really up to your discretion. But I may have missed out on a few crucial
points, but first, to get some form of sleep :(

Cheers

----- Original Message ----- 
From: "Don Parker" <dparker () rigelksecurity com>
To: <vuln-dev () securityfocus com>
Sent: Monday, February 02, 2004 4:38 AM
Subject: Obfuscated shellcode


> Hello all, do any of you bother using obfuscated eggs during a pentest? I
ask here for I
> got no responses elsewhere. Though changing the well known x90 sled to
some other 1 byte
> function that won't affect the egg won't work against a patched service it
will, however
> elude an IDS signature.
>
> Quite a few large corporations may get updated signatures relatively
quickly but, they
> often do not patch for sometime due to baseline rollouts. Hence using an
obfuscated egg
> to slip past the IDS. This technique is not new, but it is becoming more
well known.
> There are some mitigaing factors here which could affect this such as
application layer
> firewalls and the such. I would however be interested in your thoughts on
this. I have
> not seem much discussion anywhere on this topic.
>
> Cheers!
> Don
>
> ------------------------------------------- 
> Don Parker, GCIA
> Intrusion Detection Specialist
> Rigel Kent Security & Advisory Services Inc
> www.rigelksecurity.com
> ph :613.249.8340
> fax:613.249.8319
> --------------------------------------------