Ids Evasion Design Tricks For Buffer Overflow Exploits

No ratings

Presented at Blackhat Europe 2001 by

The concept of double injection for stack overflow exploits can be used to reduce the size needed for an initial payload. If a payload is small enough not to disrupt the underlying stack frame, a clean return might be possible. A clean return means that the process won't crash. No crash means no log entry and that adds to the requirements of a host based intrusion detection system. To take advantage of this trick it is neccessary to know some of the memory addresses within the vulnerable server application. One problem is that if the overflow occurs in a dynamically loaded library, the addresses will be set at run time and might differ from what's requested at compile time. I will specifically discuss an example of a clean return into a dll. I will also cover a way to disassemble an application to get the information needed to write an exploit that uses the existing network connection. By doing so, no packets with unrecognized port numbers will be sent over the network. That means a lot of network based intrusion detection systems will be given more of a challenge. I will finish with a discussion of some ways to detect/prevent attacks with these tricks. This presentation builds further on to the one held at Defcon 9 this summer. Anders Ingeborn works with vulnerability assessment and penetration tests at iXsecurity in Sweden. iXsecurity's clients during the last couple of years include government agencies, banks, nuclear power plants and major corporations throughout Scandinavia. Anders also holds a MS in computer security.