-------------------------- Writing anti-IDS shellcode ========================== By rash (rash@security.is) Introduction : In the last few weeks i had made an intensive study of Intrusion - Detection Systems like snort. I found that several ways of escaping from being detected while checking for vulnerable CGI's were already made by RFP (rfp@wiretrip.net). Also many other common intrusion tactics like port-scanning was also escaped by using stealth-scanners like nmap. But I noticed that the IDS had also checked for a person trying to remotely buffer overflow a daemon. When I searched through the net for anti-IDS tactics for escaping form being tracked, I found none. So i decided to do a bit of thinking :). Detection : IDS detect a cracker trying to smash the stack by analyzing the network trafic, and if they find a 0x90 (NOP), they report to the logs as penetration with the packet's details. Anti-IDS tactic: The main problem here is the presence of NOP's in the shellcode. Exploits usually pad the stack with NOP's so that the return address dosent have to be exact. It is this NOP which is the problem. The main shellcode (which probably start execve or append a line to passwd) need not be changed because it dosent contain NOP's. The problem lies here - for(i=0;i<(LEN-strlen(shellcode));i++){*(bof+i)=0x90;} where the beginning of the stact gets padded with NOP's. NOP is used only to jump to the next instruction without any modification to execution of the assembly code. NOP=No OPeration. But the same function can be achieved by using a jump to the next instrucion (jmp 0x00). The Problems : 1) The jump instruction (0xeb 0x00) is two bytes unlike the NOP instruction which is only one byte. So the offset has to be more difficult to calculate because is the return address is in between 0xeb and 0x00 then crash, boom, bang :). 2) A nice shellcode isn't supposed to consist of binary 0's and this one does (0x00). Solution : 1) This is not really a problem. If the exploit dosent work we just have to add or subtract 1 from the offset since the jmp instruction is 2 bytes. 2) If we cannot jump one byte, we jump two bytes (jmp 0x02) and this does'nt have binary zero's and will work fine. Code: Replace this : 0x90 With this : 0xeb0x02 Thanks to: Mixter, for letting me know that there would be a problem of binary zero's if i had jumped and also for all the questions i asked :). Example code for x86: char sc[] = "\xeb\x1a\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3" "\x8d\x4e\x08\x8d\x56\x08\x31\xd2\xcd\x80\xe8\xe1\xff\xff\xff/bin/sh"; char buf[256]; int main() { /* memset(buf,0x90,256); */ int i; for (i = 0; i < 256; i += 2) *(short *) &buf[i] = 0xeb02; memcpy(buf + 256 - strlen(sc), sc, strlen(sc)); ((void (*)(void)) buf) (); return 0; }