mailing list archives
Re: On Polymorphic Evasion
From: zero <zeroboy () arrakis es>
Date: Sat, 2 Oct 2004 17:55:52 +0200
Nice article, but I must say this technic is well known as a nice
IDS evasion technic. Actually what you've done is called by some
people "Instruction Stacking" and has been documented in a blackhat
briefing if I don't remember bad.
Although I might say I'm sure Fermin is aware of this kind of IDS
bypass and that his target wasn't coding an infalible shellcode detector.
Anyway, it's a nice article :)
Greetz to Fermin also ;)
There is still, however, one final step left - a polymorphic sled that
works 100% of the time while still evading Serna's technique. The problem
at hand is the extremely high likelihood that our exploit will fail if
we land on a JMP argument. This can be solved by ensuring that all JMP
arguments inserted into the payload are valid junk operators themselves.
Originally a portion of our sled looked like this:
It is clear that we would encounter problems if <ARG> was hit directly.
Consider the following:
In this situation <JNOP> acts both as the argument to <JMP> and, if returned
to directly, a <NOP>. The following is the final exploit in this paper.
It contains a specialised array of opcodes suitable to act as a <JNOP>.
This is needed to ensure that all of the JMP's go forward, which is done
in order to avoid an endless loop (backward jumps are possible, but they
are too sticky to implement here):
"The further backward you look, the further forward you can see" Winston Churchill
"Access is GOD..."