Full Disclosure mailing list archives
Re: On Polymorphic Evasion
From: zero <zeroboy () arrakis es>
Date: Sat, 2 Oct 2004 17:55:52 +0200
Hi Phantasmal, Nice article, but I must say this technic is well known as a nice IDS evasion technic. Actually what you've done is called by some people "Instruction Stacking" and has been documented in a blackhat briefing if I don't remember bad. Although I might say I'm sure Fermin is aware of this kind of IDS bypass and that his target wasn't coding an infalible shellcode detector. Anyway, it's a nice article :) Greetz to Fermin also ;)
There is still, however, one final step left - a polymorphic sled that works 100% of the time while still evading Serna's technique. The problem at hand is the extremely high likelihood that our exploit will fail if we land on a JMP argument. This can be solved by ensuring that all JMP arguments inserted into the payload are valid junk operators themselves.
Originally a portion of our sled looked like this:
<NOP><NOP><JMP><ARG><NOP><NOP>
It is clear that we would encounter problems if <ARG> was hit directly. Consider the following:
<NOP><NOP><JMP><JNOP><NOP><NOP>
In this situation <JNOP> acts both as the argument to <JMP> and, if returned to directly, a <NOP>. The following is the final exploit in this paper. It contains a specialised array of opcodes suitable to act as a <JNOP>. This is needed to ensure that all of the JMP's go forward, which is done in order to avoid an endless loop (backward jumps are possible, but they are too sticky to implement here):
www.citfi.org www.podergeek.com ********************************** "The further backward you look, the further forward you can see" Winston Churchill "Access is GOD..."
Attachment:
_bin
Description:
Current thread:
- On Polymorphic Evasion Phantasmal Phantasmagoria (Oct 01)
- Re: On Polymorphic Evasion zero (Oct 02)
- Re: On Polymorphic Evasion Ali Campbell (Oct 02)
- Re: On Polymorphic Evasion Andrew Farmer (Oct 02)
- Re: On Polymorphic Evasion Ali Campbell (Oct 02)
- Re: On Polymorphic Evasion Vlad902 (Oct 02)
- <Possible follow-ups>
- Re: On Polymorphic Evasion PERFECT. MATERIAL (Oct 01)
- Re: Re: On Polymorphic Evasion xbud (Oct 01)
- Re: Re: On Polymorphic Evasion PERFECT.MATERIAL (Oct 01)
- Re: Re: On Polymorphic Evasion xbud (Oct 01)
- Re: Re: On Polymorphic Evasion r00t3d (Oct 02)
- Re: Re: On Polymorphic Evasion James Tucker (Oct 02)
- Re: On Polymorphic Evasion zero (Oct 02)