lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 27 Sep 2008 00:02:03 +0200
From: Stefano Zanero <zanero@...t.polimi.it>
To: Nelson Brito <nbrito@...ure.org>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
	Focus-IDS <focus-ids@...urityfocus.com>
Subject: Re: "Exploit creation - The random approach" or "Playing with random
 to build exploits"

Nelson Brito wrote:

> 	1. Slammer was the very first Flash Worm,

Well, no, actually, Slammer was not a flash worm. A flash worm is a worm
which follows a precomputed spreading path, by using prior knowledge of
all the systems that are vulnerable to the particular exploit in use.
And Slammer didn't.

It is actually akin to a Warhol worm.

> dissemination, it only took 15 minutes to crash all the Internet
> infra-structure 

How exagerate ;)

> we didn't learn how to deal with worms

Nope, we didn't. But people stopped writing worms, because writing bots
is much more rewarding, economically.

> -[ Polymorphic Code
> 
> This is not a new topic

No, indeed, it's very old.

> for years and years, but all our attention was gave to the shellcode. 

Well, actually that's because the polymorphic code for viruses and worms
came even before, and was already a beaten issue.

> even during my research, when I talked to someone about the perspective of
> having a real polymorphic code, people always got confused with polymorphic
> shellcode.

Strange, usually it's the other way round.

> Polymorphic code means that a code will change every time it executes,
> making it unpredictable. What we have, so far, are static codes, and I never
> saw any “dynamic” code exploiting any vulnerability. 

Didn't you mention you were NOT thinking of polymorphic SHELL-code, but
polymorphic code ?

>That is the reason some
> IPS/IDS can easily add signatures. 

Well, actually shellcode signatures are common, but they are not the reason.

And, signature based IPS/IDS have so many faults that you don't really
need polymorphic (shell)code to fool them.

> Now, we know how we must build the exploit, and I think we can do a great
> job randomizing all the fields. Here are the fields ENG needs to deal with:
> attack vector, buffer, return address, jumps, writable address, nops, and
> shellcode.

This is what most of us would call "obfuscating an attack", or "mutating
an attack". Just so that you know, a tool named SPLOIT was already made
to perform a number of mutations over exploits (at this and other levels).

Thanks for the write up. It's an handy cheat sheet for some things.

> I do hope I could proof all the concepts behind this idea,

Yep, well, you could just mention them. We already knew them ;-)

And, I don't see how these have to do with making a Warhol worm more
dangerous. Signature-based systems will never be useful against a Warhol
worm in any case, because the updates will simply be too late.

SZ

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ