Hi all,
 If you are interested in some stealth shellcode I did a talk at defcon 8
and CCC congress covering shellcode encryption, nop sled obsfucation and other
techniques. I never released a whitepaper, but I do have the presentation
up which shows the concepts and some simple example code.

http://pr0n.newhackcity.net/~jeru/idsevade.ppt

Sorry in advance for the powerpoint, I can make it into textfile later
this week. K2's library is pretty nice, I saw it a little before
CanWest. I believe he also included my multi-byte nop instruction
stacking. Very sweet library. My presentation just shows different
techniques.

--jeru
www.newhackcity.net/~jeru

On Tue, 3 Apr 2001, Dragos Ruiu wrote:

> I don't believe he monitors this list so I'm including him on the chain...
>
> ADMutate isn't a script kiddy tool, for sure, as it requires an undertanding
> of how an exploiit works despite the "helper" stuff that K2 has put in. But it
> is a good attack technique and does remove the ability to have a pure and
> "infallible" shellcode signature - a signature that I likened to a "defensive
> silver bullet" always means trouble, and never falses. I have to look at his
> newer code before I can comment further...
>
> cheers,
> --dr
>
> p.s. ......"just another fragrouter" ?.... I'm not sure how to take that....
> fragrouter was enough of a rpita for me. :-)
>
> On Tue, 03 Apr 2001, Bill Marquette wrote:
> > K2 did present ADMmutate...and yes, it is very cool (and a little frightening).
> > The basic premise behind it (I'll let K2 explain more if he's watching this
> > list) is that he uses virus like features to obfuscate the shellcode. ADMmutate
> > can be used on any existing shell code (any current exploit) and will encrypt
> > the shell code with a polymorphic decrypter. I would expect that the code will
> > be available for public release soon, you might even try K2's website
> > http://www.ktwo.ca. As the article mentions, it isn't "easy" to modify a
> > current exploit to use this, the point and click script kiddie will have to wait
> > until someone does it for them. The slightly above average skript kiddie won't
> > have that hard of a time modifying exploit code to use ADMmutate though.
> >
> > --Bill
> >
> >
> >
> > From: Vitaly Osipov <vosipovWOLFEGROUP.COM> on 04/03/2001 09:15 AM
> >
> > Please respond to Vitaly Osipov <vosipovWOLFEGROUP.COM>
> >
> > To: FOCUS-IDSSECURITYFOCUS.COM
> > cc:
> > Client:
> > Subject: CanSecWest and ADMutate
> >
> >
> >
> > I've seen some news stories like
> > http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying somebody
> > called K2 from ADCrew presented on CanSecWest a program for IDS evasion (as
> > far as I understand, though the descriptions are very vague). Has somebody
> > been there and can shed a light on this? is really so c00l as news says or
> > is it just another fragrouter? :)
> >
> > regards,
> > W.
> --
> Dragos Ruiu <drdursec.com> dursec.com ltd. / kyx.net - we're from the future
> gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]