|
Vulnerability Development
mailing list archives
Re: Obfuscated shellcode
From: Aaron Turner <aturner () pobox com>
Date: Sun, 1 Feb 2004 13:09:22 -0800
Sounds like a reason not to use these "major vendors". I know not all
vendors write signatures that are so easy to avoid and a number of them
have made it possible to roll out new signatures to tens or even
hundreds of signatures with a single click.
Basically, what I'm saying is that not all vendors have these issues, and
if they're important to you, then it would be worth your time to research
which vendors do it better.
As for obfuscated NOOP's and shell code, look at ADMmutate which makes
shell code polymorphic and static signatures which rely on the shell code
and NOOP's pretty ineffective. http://www.ktwo.ca/security.html
Regards,
Aaron
On Sun, Feb 01, 2004 at 04:57:50PM -0500, Don Parker wrote:
Hi Aaron, well agreed any IDS worth it's salt will detect a NOOP sled. I have however
seen the signatures firsthand of some major vendors and they all go for very generic
stuff such as the NOOP times n amount, and perhaps port matching. That is it,
literally. Also drawing on my work with some large entities I know firsthand that the
rollout of some patches can be very slow, thereby leaving open a large window of
opportunity for a munged egg to get through. Hence my question on using an obfuscated
egg to slip past the IDS.
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
- Re: Obfuscated shellcode, (continued)
|
Intro
