[Full-disclosure] Collision Course - Unveiling some IPS/IDS weakness!
nbrito at sekure.org
Sat Sep 20 04:34:16 BST 2008
Long time I don't submit any new code or even results of any research, so
here is... This is ENG (Encore Next Generation), using unpublished morphic
techniques to write "unpredictable" exploit codes...
It uses a pretty old vulnerability (MS02-039 - Credits to David Litchfield),
and the only reason I'm putting this available is to proof that an exploit
can be written using automation techniques trying to be unpredictable.
AFAIK, this technique can be applied in any/some exploitation.
Of course I took some good stuffs off, and will keep them just for friends.
I was supposing to send a good paper on that subject next December, right
after the H2HC, but I don't have patience and this technique is probably
something already presented and it is not brand new, sorry. :D
I think that the idea is in the code, so take a careful look at the code and
I promise you will understand the technique.
The Collision Course Project has two main codes:
- NNG (Numb Next Generation): a false-positive tool targeting the same
vulnerability, and it is available @ PacketStorm, btw, thanks Todd for
adding it (http://www.packetstormsecurity.nl/UNIX/IDS/nng-4.13r-public.rar).
- ENG (Encore Next Generation): a false-negative (morphic) tool.
Using both of them to test IPS/IDS is a good way to check the capability of
the detection technology and should help you to understand why attackers can
break-in your network. I promise you: You will be surprised with the results
of the combinations you can do using NNG and ENG. I'm not kidding!!!
PS: I take no responsibility of any damage caused by misuse of these two
codes, so take care on your own acts!
- Alpha2.c by Berend-Jan Wever
- NOP Injection in Alpha shellcode first mention by Matt Conover
- OpcodeDB by HD Moore
- MS02-039 by David Litchfield
- PacketStorm by Todd
[*] You are not allowed to add any technique used in this tool in any
commercial tool. ;)
IT Security Professional
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 36581 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080920/9fc8013e/attachment.obj
Full-Disclosure is hosted and sponsored by Secunia.