lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <004a01cc47d6$6e77f330$4b67d990$@sekure.org>
Date: Thu, 21 Jul 2011 15:45:54 -0300
From: "Nelson Brito" <nbrito@...ure.org>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>,
	<dailydave@...ts.immunityinc.com>
Subject: Permutation Oriented Programming

<++BOF>

-=[ Introduction
Many works have been done regarding evasion techniques against Intrusion Detection System (IDS) and Intrusion Prevention System (IPS), but most of them are related to:
 - Packet fragmentation [1]
 - Stream segmentation [1]
 - Byte and traffic insertion [1]
 - Polymorphic shellcode [2]
 - Denial-of-Service [1]
 - URL obfuscation (+ SSL encryption) [3]
 - RPC fragmentation [4]
 - HTML obfuscation [5] and JavaScript obfuscation [6]
 - Etc...

Permutation Oriented Programming (formerly known as Exploit Next Generation) introduces a different and powerful approach, which can be applied to almost all vulnerability, which targets the vulnerability trigger - so far none, or just few, research has been conducted addressing the vulnerability trigger.

-=[ Approach
To circumvent or avoid a pattern-matching detection approach, there are two options:
 1. Easier (or Harder): know how the vulnerability is detected (access to signature/vaccine [7]).
 2. Harder (or Easier): know deeply how to trigger the vulnerability and how to exploit it (access to vulnerable ecosystem).

-=[ Technique
Permutation Oriented Programming (also known as POP) is neither a new technique to obfuscate code nor a new technique to polymorphic shellcode, instead, it is a brand-new technique intended to change the behavior of exploit developers, and it provides a specific set of procedures for offering set based permutation of key aspects of an exploit to bypass, or perform quality assurance, ineffective IDS and IPS technologies:
 - Pattern-matching signatures
 - Stateful Packet Inspection
 - Deep Packet Inspection

POP (pronounced /pŏp/) technique works by deep analysis of a vulnerability and using all the acquired knowledge of this analysis to offer a variety of decision points targeting the actual triggering of the vulnerability (i.e., brand-new variants), rather than the shellcode that executes after the vulnerability.

For POP technique to be effective, it requires exploit developers, as well as IDS and IPS developers, to determine additional paths to execution beyond those that are available in a standard exploit, or even in a standard proof-of-concept codes, including commercial automated penetration-test tools.

For POP technique to be effectively stopped, it requires that IDS and IPS developers understand the traits of the vulnerability equally well, and can detect multiple paths of execution. In essence, it shows the frailty of signature based IDS and IPS solutions. If they are simply based on pattern-matching signatures, they will not match the pattern after permutation, because they are skipping paths to execution and their signatures will fail on the permutation. Only IDS and IPS solutions that are robust will catch all of the permutation.

-=[ Last words
I have decided to change the name of this technique, because hackers and researchers have repulsion of the term "Next Generation"... Anyways, the technique is still the same and still is oriented to programming and knowledge.

The files, including PH-Neutral 0x7db [8] slide-deck and examples, are available at:
 - http://code.google.com/p/permutation-oriented-programming/

-=[ References & Credits
[1] "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" by Thomas H. Ptacek and Timothy N. Newsham
      http://insecure.org/stf/secnet_ids/secnet_ids.html
[2] "DefCon 9: ADMmutate Polymorphic Shellcode API" by K2
      http://www.youtube.com/watch?v=Oc-MyOXbYH0
[3] "A look at whisker's anti-IDS tactics" by Rain Forest Puppy
      http://www.ussrback.com/docs/papers/IDS/whiskerids.html
[4] "Black Hat USA: IPS Shortcomings" by Renaud Bidou
      http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bidou.pdf
[5] "HTML obfuscation tool" by isnoop.net
      http://isnoop.net/tools/obfuscate.php
[6] "Online JavaScript Obfuscator" by Daft Logic
      http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
[7] "Black Hat USA: A Simpler Way of Finding 0day" by Robert Graham and David Maynor
      https://www.blackhat.com/presentations/bh-usa-07/Maynor_and_Graham/Whitepaper/bh-usa-07-maynor_and_graham-WP.pdf
[8] PH-Neutral 0x7db by Phenoelit
      http://ph-neutral.org/
     http://www.youtube.com/watch?v=IZYQILfxHiw

<--EOF>

Best regards.

Nelson Brito
"Intellectus excedit, praestat tacere."
--
http://about.me/nbrito
8BD6 8CAD 41B7 19C5 EC04 C66D 70ED 23E4 E5AB 95EB

/* CIDR Calculator C Algorithm */
netmask   = ~(0xffffffff >> cidr);
hostid    = (1 << (32 - cidr)) - 2;
_1st_addr = (ntohl(addr) & netmask) + 1;



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ