nCircle.com >> 360 Security

« CanSec West, Second Day: “Binary Difference Analysis” | Main | SCADAGard SIG To Be Established »

CanSec West, Second Day: "Advances in Exploit Technology" (revised)

The presentation "Advances in Exploit Technology", presented by H D Moore & spoonm, talked about the future of exploits and how Metasploit was going to make things better... for the ones writing the exploit. They touched on comparisons of open source and closed source exploitation; dynamic vs. static addressing, return address bouncing, using the stack exception handler, polymorphic exploits to avoid detection (IDS/IPS) systems, and the concept of a multi-byte NOP sled.

The most interesting aspect of the presentation was polymorphic exploitation code. This would make the life of a passive detection system much more challenging. I would imagine that it would be possible to design algorithms capable of deciphering polymorphic code based on the same principles of "BinDiff"... look for common logic. It may also be possible to simply detect the polymorphic algorithm and completely avoid any code deciphering.

The multi-byte NOP sled was also very interesting. It appeared to be a concept for generating random OP codes that do not impact the process or shell code in a negative way. It is placed in the stack prior to the shell code when the return address is non-deterministic. The shell code must be placed in a location that is equal to or above the highest perceived return address. The multi-byte NOP sled generates random OP codes to obfuscate passive detection while simultaneously providing a clean path of execution to the shell code.

Posted by Paul Miseiko on May 5, 2005 2:21 PM |

Comments (2)

Jeremy:

This is a very interesting topic.

I've found a fantastic paper that looks at simple, one byte, and multi-byte NOP sleds and gets in some depth on NIDS detection methods (STRIDE)

you can check it out here...
http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf

Jeremy

Posted by Jeremy | May 6, 2005 11:31 AM

Posted on May 6, 2005 11:31

Jeremy:

If you're still thirsty for more here are a couple of additional papers on multi byte NOP sleds. The first touches on different types of NOP sleds, with a lot of theroy... it includes more on possible NIDS detction methods. Second is a paper on Advanced Polymorphic Worms.

http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
http://www.cc.gatech.edu/~ok/w/ok_pw.pdf

enjoy!
Jeremy

Posted by Jeremy | May 9, 2005 9:22 AM

Posted on May 9, 2005 09:22

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on May 5, 2005 2:21 PM.

The previous post in this blog was CanSec West, Second Day: “Binary Difference Analysis”.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]