Vulnerability Development mailing list archives

Obfuscated shellcode

From: "Don Parker" <dparker () rigelksecurity com>
Date: Sun, 1 Feb 2004 12:38:32 -0500 (EST)

Hello all, do any of you bother using obfuscated eggs during a pentest? I ask here for I 
got no responses elsewhere. Though changing the well known x90 sled to some other 1 byte 
function that won't affect the egg won't work against a patched service it will, however 
elude an IDS signature.  
 
Quite a few large corporations may get updated signatures relatively quickly but, they 
often do not patch for sometime due to baseline rollouts. Hence using an obfuscated egg 
to slip past the IDS. This technique is not new, but it is becoming more well known. 
There are some mitigaing factors here which could affect this such as application layer 
firewalls and the such. I would however be interested in your thoughts on this. I have 
not seem much discussion anywhere on this topic. 
 
Cheers! 
Don  
 
------------------------------------------- 
Don Parker, GCIA 
Intrusion Detection Specialist 
Rigel Kent Security & Advisory Services Inc 
www.rigelksecurity.com 
ph :613.249.8340 
fax:613.249.8319 
--------------------------------------------

Current thread:

Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Aaron Turner (Feb 01)
- Re: Obfuscated shellcode Karma (Feb 01)
- RE: Obfuscated shellcode Bojan Zdrnja (Feb 01)
- <Possible follow-ups>
- Re: Obfuscated shellcode Don Parker (Feb 01)
- Re: Obfuscated shellcode Don Parker (Feb 01)
  - Re: Obfuscated shellcode Aaron Turner (Feb 01)