Hi Phantasmal, Nice article, but I must say this technic is well known as a nice IDS evasion technic. Actually what you've done is called by some people "Instruction Stacking" and has been documented in a blackhat briefing if I don't remember bad. Although I might say I'm sure Fermin is aware of this kind of IDS bypass and that his target wasn't coding an infalible shellcode detector. Anyway, it's a nice article :) Greetz to Fermin also ;) > There is still, however, one final step left - a polymorphic sled that > works 100% of the time while still evading Serna's technique. The problem > at hand is the extremely high likelihood that our exploit will fail if > we land on a JMP argument. This can be solved by ensuring that all JMP > arguments inserted into the payload are valid junk operators themselves. > Originally a portion of our sled looked like this: > <NOP><NOP><JMP><ARG><NOP><NOP> > It is clear that we would encounter problems if <ARG> was hit directly. > Consider the following: > <NOP><NOP><JMP><JNOP><NOP><NOP> > In this situation <JNOP> acts both as the argument to <JMP> and, if returned > to directly, a <NOP>. The following is the final exploit in this paper. > It contains a specialised array of opcodes suitable to act as a <JNOP>. > This is needed to ensure that all of the JMP's go forward, which is done > in order to avoid an endless loop (backward jumps are possible, but they > are too sticky to implement here): www.citfi.org www.podergeek.com ********************************** "The further backward you look, the further forward you can see" Winston Churchill "Access is GOD..."
Attachment:
pgp00002.pgp
Description: PGP signature