Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: On Polymorphic Evasion
From: zero <zeroboy () arrakis es>
Date: Sat, 2 Oct 2004 17:55:52 +0200

Hi Phantasmal,
   Nice article, but I must say this technic is well known as a nice
   IDS evasion technic. Actually what you've done is called by some
   people "Instruction Stacking" and has been documented in a blackhat
   briefing if I don't remember bad.

   Although I might say I'm sure Fermin is aware of this kind of IDS
   bypass and that his target wasn't coding an infalible shellcode detector.

   Anyway, it's a nice article :)

   Greetz to Fermin also ;)

There is still, however, one final step left - a polymorphic sled that
works 100% of the time while still evading Serna's technique. The problem
at hand is the extremely high likelihood that our exploit will fail if
we land on a JMP argument. This can be solved by ensuring that all JMP
arguments inserted into the payload are valid junk operators themselves.

Originally a portion of our sled looked like this:


It is clear that we would encounter problems if <ARG> was hit directly.
Consider the following:


In this situation <JNOP> acts both as the argument to <JMP> and, if returned
to directly, a <NOP>. The following is the final exploit in this paper.
It contains a specialised array of opcodes suitable to act as a <JNOP>.
This is needed to ensure that all of the JMP's go forward, which is done
in order to avoid an endless loop (backward jumps are possible, but they
are too sticky to implement here):

"The further backward you look, the further forward you can see" Winston Churchill 
"Access is GOD..." 

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]