lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 20 Sep 2008 00:34:16 -0300
From: "Nelson Brito" <nbrito@...ure.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Collision Course - Unveiling some IPS/IDS
	weakness!

Hello, mates.

Long time I don't submit any new code or even results of any research, so
here is... This is ENG (Encore Next Generation), using unpublished morphic
techniques to write "unpredictable" exploit codes...

It uses a pretty old vulnerability (MS02-039 - Credits to David Litchfield),
and the only reason I'm putting this available is to proof that an exploit
can be written using automation techniques trying to be unpredictable.
AFAIK, this technique can be applied in any/some exploitation.

Of course I took some good stuffs off, and will keep them just for friends.

I was supposing to send a good paper on that subject next December, right
after the H2HC, but I don't have patience and this technique is probably
something already presented and it is not brand new, sorry. :D

I think that the idea is in the code, so take a careful look at the code and
I promise you will understand the technique.

The Collision Course Project has two main codes:
- NNG (Numb Next Generation): a false-positive tool targeting the same
vulnerability, and it is available @ PacketStorm, btw, thanks Todd for
adding it (http://www.packetstormsecurity.nl/UNIX/IDS/nng-4.13r-public.rar).
- ENG (Encore Next Generation): a false-negative (morphic) tool.

Using both of them to test IPS/IDS is a good way to check the capability of
the detection technology and should help you to understand why attackers can
break-in your network. I promise you: You will be surprised with the results
of the combinations you can do using NNG and ENG. I'm not kidding!!!

PS: I take no responsibility of any damage caused by misuse of these two
codes, so take care on your own acts!

Credits:
- Alpha2.c by Berend-Jan Wever
- NOP Injection in Alpha shellcode first mention by Matt Conover
- OpcodeDB by HD Moore
- MS02-039 by David Litchfield
- PacketStorm by Todd

[*] You are not allowed to add any technique used in this tool in any
commercial tool. ;)

Best regards.

Nelson Brito
IT Security Professional

{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}$0;

Download attachment "eng-4.23-public.rar" of type "application/octet-stream" (36581 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ