git-svn-id: file:///home/svn/incoming/trunk@2638 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
d79158d2ec
commit
9b9c2a50e4
|
@ -147,51 +147,43 @@
|
||||||
\end{sitemize}
|
\end{sitemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Nop sleds}
|
||||||
|
\subsection{Introduction}
|
||||||
|
%
|
||||||
|
% Why do we use them?
|
||||||
|
% Don't really need them for win32, why?
|
||||||
|
% Previous work (0x90, admutate)
|
||||||
|
|
||||||
\section{Pre-exploitation}
|
\subsection{OptyNop2}
|
||||||
\begin{frame}[t]
|
% Multi byte sled, just an example output
|
||||||
\frametitle{Payload encoders}
|
% Things it supports
|
||||||
|
% - jmps, loops
|
||||||
|
% - prefixes
|
||||||
|
% - badchar/reg avoidence, etc
|
||||||
|
|
||||||
\begin{sitemize}
|
\section{Encoders}
|
||||||
\item Robust and elegant encoders do exist
|
\subsection{Introduction}
|
||||||
\begin{sitemize}
|
\subsection{Shikata}
|
||||||
\item SkyLined's Alpha2 x86 alphanumeric encoder
|
|
||||||
\item Spoonm's high-permutation Shikata Ga Nai
|
|
||||||
\end{sitemize}
|
|
||||||
|
|
||||||
\pause
|
\section{Payloads}
|
||||||
\item Payload encoders generally taken for granted
|
\subsection{Introduction}
|
||||||
\begin{sitemize}
|
% Previous work
|
||||||
\item Most encoders use a static decoder stub
|
% InlineEgg, mosdef
|
||||||
\item Makes NIDS signatures easy to write
|
% Explain singles/stagers/stages
|
||||||
\end{sitemize}
|
|
||||||
\end{sitemize}
|
|
||||||
\end{frame}
|
|
||||||
|
|
||||||
\begin{frame}[t]
|
\subsection{Egg Hunters}
|
||||||
\frametitle{NOP generators}
|
% What is an egghunter and why
|
||||||
|
% Syscall research
|
||||||
\begin{sitemize}
|
% Maybe some of the linux stuff too
|
||||||
\item NOP generation hasn't publicly changed much
|
\subsection{Stagers}
|
||||||
\begin{sitemize}
|
% What is a stager and why
|
||||||
\item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
|
% Ordinal
|
||||||
\item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
|
% General staging architecture...
|
||||||
\item Not considered an important research topic to most
|
% DLL injection.. stager?
|
||||||
\end{sitemize}
|
\subsection{Stages}
|
||||||
|
% Command shell
|
||||||
\pause
|
% Piped shell for socket() (ordinal stuff)
|
||||||
\item Still, NIDS continues to play chase the tail
|
% mention how post-exploitatoin tools would generally be a stage..
|
||||||
\begin{sitemize}
|
|
||||||
\item The mouse always has the advantage; NIDS is reactive
|
|
||||||
\item Advanced NOP generators and encoders push NIDS to its limits
|
|
||||||
\item Many protocols can be complex to signature (DCERPC fragmentation)
|
|
||||||
\end{sitemize}
|
|
||||||
|
|
||||||
\pause
|
|
||||||
\item Metasploit 2.4 released with a wide-distribution
|
|
||||||
multi-byte x86 NOP generator (Opty2)
|
|
||||||
\end{sitemize}
|
|
||||||
\end{frame}
|
|
||||||
|
|
||||||
\section{Post-exploitation}
|
\section{Post-exploitation}
|
||||||
\begin{frame}[t]
|
\begin{frame}[t]
|
||||||
|
|
Loading…
Reference in New Issue