Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

HIPS Buffer Overflow Protection - Bypass

from [bart] Network Security [Permanent Link]
Subject: HIPS Buffer Overflow Protection - Bypass
Date: Tue, 14 Nov 2006 15:20:22 -0700 
List, 
  
I've recently been testing some HIPS products to guage their
effectiveness against different exploits and stumbled on something a
little strange yesterday.  Everything I launched against one of the
products (to remain anonymous) was picked up either by the signature
based prevention or its generic buffer overflow protection.  I was
almost ready to hang it up and then I decided to change up some of the
payloads in the attacks to see if that would make a difference.   
  
I launched the ms06-040 exploit against an unpatched Win2K Server SP4
system using Metasploit 3.0.  Every payload I tried was caught, EXCEPT
for the windows/adduser payload.  After runnning the exploit with this
payload, an account was successfully created on the system with
administrator privileges.  It worked like a charm. 
  
My question to all of you is basically, why would this product detect
and prevent all of the other payloads used with this exploit except for
this one?  Would it be because of the size (adduser payload is smaller
than say the bind_tcp payload) or something else?  Could it be that
since the product did not have a signature for that specific exploit,
and it relied on the buffer overflow protection piece, the exploit ran,
and when it came time for the shellcode to run, it did not detect it as
"foreign" or not authorized?   
  
I don't want to have to say which product this was, but I will say that
I will be trying this exact vector on the next few I try and will post
an update if they too allow this to happen.  It just confuses me as to
why a certain shellcode is allowed to execute and others would not be. 
 
  
Any help would be great.  I'm just trying to satisfy my own curiosity
here and see if maybe there's something a little deeper that I may have
stumbled on.  Thanks. 
  
- Bart


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: DDOS Products, R. DuFresne
Next by Date:  Gleg Ltd - Metasploit add-ons ceased due to Security Reasons, toggmeister
Previous by Thread:  Java Swing Security, dharmeshmm
Next by Thread:  Re: HIPS Buffer Overflow Protection - Bypass, dfullerton
Indexes:  [Date] [Thread] [Top] [All Lists]