[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48DD5BDB.80108@elet.polimi.it>
Date: Sat, 27 Sep 2008 00:02:03 +0200
From: Stefano Zanero <zanero@...t.polimi.it>
To: Nelson Brito <nbrito@...ure.org>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
Focus-IDS <focus-ids@...urityfocus.com>
Subject: Re: "Exploit creation - The random approach" or "Playing with random
to build exploits"
Nelson Brito wrote:
> 1. Slammer was the very first Flash Worm,
Well, no, actually, Slammer was not a flash worm. A flash worm is a worm
which follows a precomputed spreading path, by using prior knowledge of
all the systems that are vulnerable to the particular exploit in use.
And Slammer didn't.
It is actually akin to a Warhol worm.
> dissemination, it only took 15 minutes to crash all the Internet
> infra-structure
How exagerate ;)
> we didn't learn how to deal with worms
Nope, we didn't. But people stopped writing worms, because writing bots
is much more rewarding, economically.
> -[ Polymorphic Code
>
> This is not a new topic
No, indeed, it's very old.
> for years and years, but all our attention was gave to the shellcode.
Well, actually that's because the polymorphic code for viruses and worms
came even before, and was already a beaten issue.
> even during my research, when I talked to someone about the perspective of
> having a real polymorphic code, people always got confused with polymorphic
> shellcode.
Strange, usually it's the other way round.
> Polymorphic code means that a code will change every time it executes,
> making it unpredictable. What we have, so far, are static codes, and I never
> saw any “dynamic” code exploiting any vulnerability.
Didn't you mention you were NOT thinking of polymorphic SHELL-code, but
polymorphic code ?
>That is the reason some
> IPS/IDS can easily add signatures.
Well, actually shellcode signatures are common, but they are not the reason.
And, signature based IPS/IDS have so many faults that you don't really
need polymorphic (shell)code to fool them.
> Now, we know how we must build the exploit, and I think we can do a great
> job randomizing all the fields. Here are the fields ENG needs to deal with:
> attack vector, buffer, return address, jumps, writable address, nops, and
> shellcode.
This is what most of us would call "obfuscating an attack", or "mutating
an attack". Just so that you know, a tool named SPLOIT was already made
to perform a number of mutations over exploits (at this and other levels).
Thanks for the write up. It's an handy cheat sheet for some things.
> I do hope I could proof all the concepts behind this idea,
Yep, well, you could just mention them. We already knew them ;-)
And, I don't see how these have to do with making a Warhol worm more
dangerous. Signature-based systems will never be useful against a Warhol
worm in any case, because the updates will simply be too late.
SZ
Powered by blists - more mailing lists