lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4093123484.20041002175552@arrakis.es>
From: zeroboy at arrakis.es (zero)
Subject: On Polymorphic Evasion

Hi Phantasmal,
   Nice article, but I must say this technic is well known as a nice
   IDS evasion technic. Actually what you've done is called by some
   people "Instruction Stacking" and has been documented in a blackhat
   briefing if I don't remember bad.

   Although I might say I'm sure Fermin is aware of this kind of IDS
   bypass and that his target wasn't coding an infalible shellcode detector.

   Anyway, it's a nice article :)

   Greetz to Fermin also ;)

> There is still, however, one final step left - a polymorphic sled that
> works 100% of the time while still evading Serna's technique. The problem
> at hand is the extremely high likelihood that our exploit will fail if
> we land on a JMP argument. This can be solved by ensuring that all JMP
> arguments inserted into the payload are valid junk operators themselves.

> Originally a portion of our sled looked like this:

> <NOP><NOP><JMP><ARG><NOP><NOP>

> It is clear that we would encounter problems if <ARG> was hit directly.
> Consider the following:

> <NOP><NOP><JMP><JNOP><NOP><NOP>

> In this situation <JNOP> acts both as the argument to <JMP> and, if returned
> to directly, a <NOP>. The following is the final exploit in this paper.
> It contains a specialised array of opcodes suitable to act as a <JNOP>.
> This is needed to ensure that all of the JMP's go forward, which is done
> in order to avoid an endless loop (backward jumps are possible, but they
> are too sticky to implement here):



www.citfi.org 
www.podergeek.com 
********************************** 
"The further backward you look, the further forward you can see" Winston Churchill 
"Access is GOD..." 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 812 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041002/9446d4b7/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ