Re: "Exploit creation - The random approach" or "Playing with random to build exploits"

[Stefano Zanero <zanero () elet polimi it>]

Nelson Brito wrote:

>       1. Slammer was the very first Flash Worm,

Well, no, actually, Slammer was not a flash worm. A flash worm is a worm
which follows a precomputed spreading path, by using prior knowledge of
all the systems that are vulnerable to the particular exploit in use.
And Slammer didn't.

It is actually akin to a Warhol worm.

> dissemination, it only took 15 minutes to crash all the Internet
> infra-structure 

How exagerate ;)

> we didn't learn how to deal with worms

Nope, we didn't. But people stopped writing worms, because writing bots
is much more rewarding, economically.

> -[ Polymorphic Code
>
> This is not a new topic

No, indeed, it's very old.

> for years and years, but all our attention was gave to the shellcode. 

Well, actually that's because the polymorphic code for viruses and worms
came even before, and was already a beaten issue.

> even during my research, when I talked to someone about the perspective of
> having a real polymorphic code, people always got confused with polymorphic
> shellcode.

Strange, usually it's the other way round.

> Polymorphic code means that a code will change every time it executes,
> making it unpredictable. What we have, so far, are static codes, and I never
> saw any “dynamic” code exploiting any vulnerability. 

Didn't you mention you were NOT thinking of polymorphic SHELL-code, but
polymorphic code ?

> That is the reason some
> IPS/IDS can easily add signatures. 

Well, actually shellcode signatures are common, but they are not the reason.

And, signature based IPS/IDS have so many faults that you don't really
need polymorphic (shell)code to fool them.

> Now, we know how we must build the exploit, and I think we can do a great
> job randomizing all the fields. Here are the fields ENG needs to deal with:
> attack vector, buffer, return address, jumps, writable address, nops, and
> shellcode.

This is what most of us would call "obfuscating an attack", or "mutating
an attack". Just so that you know, a tool named SPLOIT was already made
to perform a number of mutations over exploits (at this and other levels).

Thanks for the write up. It's an handy cheat sheet for some things.

> I do hope I could proof all the concepts behind this idea,

Yep, well, you could just mention them. We already knew them ;-)

And, I don't see how these have to do with making a Warhol worm more
dangerous. Signature-based systems will never be useful against a Warhol
worm in any case, because the updates will simply be too late.

SZ