OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-Disclosure] On Polymorphic Evasion

From: zero (zeroboyarrakis.es)
Date: Sat Oct 02 2004 - 10:55:52 CDT

Hi Phantasmal,
   Nice article, but I must say this technic is well known as a nice
   IDS evasion technic. Actually what you've done is called by some
   people "Instruction Stacking" and has been documented in a blackhat
   briefing if I don't remember bad.

   Although I might say I'm sure Fermin is aware of this kind of IDS
   bypass and that his target wasn't coding an infalible shellcode detector.

   Anyway, it's a nice article :)

   Greetz to Fermin also ;)

> There is still, however, one final step left - a polymorphic sled that
> works 100% of the time while still evading Serna's technique. The problem
> at hand is the extremely high likelihood that our exploit will fail if
> we land on a JMP argument. This can be solved by ensuring that all JMP
> arguments inserted into the payload are valid junk operators themselves.

> Originally a portion of our sled looked like this:

> <NOP><NOP><JMP><ARG><NOP><NOP>

> It is clear that we would encounter problems if <ARG> was hit directly.
> Consider the following:

> <NOP><NOP><JMP><JNOP><NOP><NOP>

> In this situation <JNOP> acts both as the argument to <JMP> and, if returned
> to directly, a <NOP>. The following is the final exploit in this paper.
> It contains a specialised array of opcodes suitable to act as a <JNOP>.
> This is needed to ensure that all of the JMP's go forward, which is done
> in order to avoid an endless loop (backward jumps are possible, but they
> are too sticky to implement here):



www.citfi.org
www.podergeek.com
**********************************
"The further backward you look, the further forward you can see" Winston Churchill
"Access is GOD..."

-----BEGIN PGP MESSAGE-----
Version: PGP SDK 3.0.3

iQIVAwUBQV7PiIbxswDOQy1EAQJ3Cw/+Nw/Bf4i7Eek5vkr6GLTSXudSOv1GkS9r
LTj8ltCq1T75GyMxwaHDZ3CAJqwvyYkTPFU7G7OfM3sMYXJ7W6GfuqdBaEmDGCWO
lUfBs0JBQ/BIZrD0ukjb1KApXWessTi0INsBnxOBsL7k7FVSLGULwpN09YKBw/W6
jDr4sqFiDsriRLb3WHchbF5bDgm35AGgZTZvTdbuSesbOrdfiWJBKUpAX2iChV84
38caWVpiKULKFre4s2gLDCt5InZ0Z9txi4pbBY+eBHC2mgdca3B85h6zxEOaQvb6
wH6vlQzf2ySEDBvaU9khbpFRbVQ+rMpJS912dElZD6hsYumyGkib/h6UssrEsQGg
Py15+DxfyfUNz3Y02wgnbNxuPewtl2Ijh1az8YgySIp+0bukz10oK3U25qHI2pys
42TiRYAFX8t/H7/Q+8gVYhnf+Khvye4Zmty318qtpz6kLGPxVgan7wElaVQft9Zt
fmOuVVkuCgdHkQmjIGKNEpJTI6WiZe4OgParbtvYTff6SmOdK7OF8rJG/CYdl0HB
h5UHs72EV3rPwrbYJ+wsuSRxq/6qC7b3zl3jwHMWCLhU2sEU5drMKBsIuyy5dOEw
v2me/J5yQlOBh1HRLZJwV2ncG/9YgJe0rdjUHfQLdo3++8/ppeUMPwjOz/a9wsd3
h8VwymjCedY=
=matf
-----END PGP MESSAGE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html