Writing anti-IDS Shellcode

    Date07 Oct 2002
    5793
    Posted ByAnthony Pell
    In the last few weeks i had made an intensive study of Intrusion - Detection Systems like snort. I found that several ways of escaping from being detected while checking for vulnerable CGI's were already made by RFP (This email address is being protected from spambots. You need JavaScript enabled to view it.). Also many . . . In the last few weeks i had made an intensive study of Intrusion - Detection Systems like snort. I found that several ways of escaping from being detected while checking for vulnerable CGI's were already made by RFP (This email address is being protected from spambots. You need JavaScript enabled to view it.). Also many other common intrusion tactics like port-scanning was also escaped by using stealth-scanners like nmap. But I noticed that the IDS had also checked for a person trying to remotely buffer overflow a daemon. When I searched through the net for anti-IDS tactics for escaping form being tracked, I found none. So i decided to do a bit of thinking :).

    IDS detect a cracker trying to smash the stack by analyzing the network trafic, and if they find a 0x90 (NOP), they report to the logs as penetration with the packet's details.

    The main problem here is the presence of NOP's in the shellcode. Exploits usually pad the stack with NOP's so that the return address dosent have to be exact. It is this NOP which is the problem. The main shellcode (which probably start execve or append a line to passwd) need not be changed because it dosent contain NOP's. The problem lies here:

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"9","type":"x","order":"1","pct":90,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":10,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.