Re: On Polymorphic Evasion

[zero <zeroboy () arrakis es>]

Hi Phantasmal,
   Nice article, but I must say this technic is well known as a nice
   IDS evasion technic. Actually what you've done is called by some
   people "Instruction Stacking" and has been documented in a blackhat
   briefing if I don't remember bad.

   Although I might say I'm sure Fermin is aware of this kind of IDS
   bypass and that his target wasn't coding an infalible shellcode detector.

   Anyway, it's a nice article :)

   Greetz to Fermin also ;)

> There is still, however, one final step left - a polymorphic sled that
> works 100% of the time while still evading Serna's technique. The problem
> at hand is the extremely high likelihood that our exploit will fail if
> we land on a JMP argument. This can be solved by ensuring that all JMP
> arguments inserted into the payload are valid junk operators themselves.

> Originally a portion of our sled looked like this:

> <NOP><NOP><JMP><ARG><NOP><NOP>

> It is clear that we would encounter problems if <ARG> was hit directly.
> Consider the following:

> <NOP><NOP><JMP><JNOP><NOP><NOP>

> In this situation <JNOP> acts both as the argument to <JMP> and, if returned
> to directly, a <NOP>. The following is the final exploit in this paper.
> It contains a specialised array of opcodes suitable to act as a <JNOP>.
> This is needed to ensure that all of the JMP's go forward, which is done
> in order to avoid an endless loop (backward jumps are possible, but they
> are too sticky to implement here):



www.citfi.org 
www.podergeek.com 
********************************** 
"The further backward you look, the further forward you can see" Winston Churchill 
"Access is GOD..."

Attachment: _bin
Description: