Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Collision Course: Unveiling some IPS/IDS weakness!!
From: "Nelson Brito" <nbrito () sekure org>
Date: Fri, 19 Sep 2008 21:07:19 -0300

Hello, mates.

Long time I don't submit any new code or even results of any research, so
here is... This is ENG (Encore Next Generation), using unpublished morphic
techniques to write "unpredictable" exploit codes... 

It uses a pretty old vulnerability (MS02-039 - Credits to David Litchfield),
and the only reason I'm putting this available is to proof that an exploit
can be written using automation techniques trying to be unpredictable.
AFAIK, this technique can be applied in any/some exploitation.

Of course I took some good stuffs off, and will keep them just for friends.

I was supposing to send a good paper on that subject next December, right
after the H2HC, but I don't have patience, sorry.

I think that the idea is in the code, so take a careful look at the code and
I promise you will understand the technique.

The Collision Course Project has two main codes:
- NNG (Numb Next Generation): a false-positive tool targeting the same
vulnerability, and it is available @ PacketStorm, btw, thanks Todd for
adding it (http://www.packetstormsecurity.nl/UNIX/IDS/nng-4.13r-public.rar).
- ENG (Encore Next Generation): a false-negative (morphic) tool.

Using both of them to test IPS/IDS is a good way to check the capability of
the detection technology and should help you to understand why attackers can
break-in your network. I promise you: You will be surprised with the results
of the combinations you can do using NNG and ENG. I'm not kidding!!!

PS: I take no responsibility of any damage caused by misuse of these two
codes, so take care on your own acts! And if you want to try it under Win32,
please try PacketStorm package.

Warning: You are not allowed to use any technique used in this tool in any
commercial tool. ;)

Best regards.

Nelson Brito
IT Security Professional

{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}$0;

Attachment: eng-4.23-public.r_a_r
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Collision Course: Unveiling some IPS/IDS weakness!! Nelson Brito (Sep 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]