Date: Thu, 2 Oct 2008 18:53:43 -0300
From: "Nelson Brito" <nbrito@...ure.org>
To: bugtraq@...urityfocus.com, focus-ids@...urityfocus.com
Cc: dm@...urityfocus.com
Subject: Re: "Exploit creation - The random approach" or "Playing with random to build exploits"

I am glad you have enjoyed, but I do not with some of your statements.
Actualy, I do not agree with almost all. 8-D

On Fri, Sep 26, 2008 at 7:02 PM, Stefano Zanero <zanero@...t.polimi.it> wrote:
> Well, no, actually, Slammer was not a flash worm. A flash worm is a worm
> which follows a precomputed spreading path, by using prior knowledge of
> all the systems that are vulnerable to the particular exploit in use.
And Slammer didn't.
> It is actually akin to a Warhol worm.

Hhmmm...  Let's check the description for Flash Worm:
"We further observe that there is a variant of the hit-list strategy
that could plausibly result in most of the vulnerable servers on the
Internet being infected in tens of seconds. We term this a flash worm.
The nub of our observation is that an attacker could plausibly obtain
a hit-list of most servers with the relevant
service open to the Internet in advance of the release of the worm."
("How to 0wn the Internet in Your Spare Time")

It looks like a Flash Worm for me, but, well, let's get another
information from CAIDA analysis ofr Slammer
(http://www.caida.org/publications/papers/2003/sapphire/sapphire.html).

It still looks like a Flash Worm for me, and, AFAIR, there was a huge
UDP/1434 probe (SANS Internet Storm Center) before Slammer got the
Internet. Am I wrong? Does not mean the Worm creator used a
"hit-list"?

Well, let's forget this, it is just a matter of different points of
view, anyway. And, AFAIR, the same conflict happened during naming
tyhe Morris Worm.

>> dissemination, it only took 15 minutes to crash all the Internet
>> infra-structure

> How exagerate ;)

Yeah, you're right, it took a little bit more: 30 minutes. 8-D

> Nope, we didn't. But people stopped writing worms, because writing bots
> is much more rewarding, economically.

101% true. And that's even worse than worms. Because they are
stealth... The bots' owner don't want anyone watching. Right?

> No, indeed, it's very old.

Well, I presume you are talking about polymorphic shellcode, right?

>> for years and years, but all our attention was gave to the shellcode.

> Well, actually that's because the polymorphic code for viruses and worms
> came even before, and was already a beaten issue.

I didn't get this age (Virus Age), sorry. The last virus I've heart
about was the CHI. The last real virus, I presume. Right?

>> even during my research, when I talked to someone about the perspective of
>> having a real polymorphic code, people always got confused with polymorphic
>> shellcode.

> Strange, usually it's the other way round.

Really? I got the opposite. Righ now, in our conversasion I'm having
the same wrong perseption.

> Polymorphic code means that a code will change every time it executes,
> making it unpredictable. What we have, so far, are static codes, and I never
> saw any "dynamic" code exploiting any vulnerability.

> Didn't you mention you were NOT thinking of polymorphic SHELL-code, but
> polymorphic code ?

Well, YES... The "collums" showing the exploit structure should
address this misunderstood. Anyway, here is a question: What happens
if we apply Alpha2.c, or any other polymorphic shellcode engine, to
the entiry data we should write in the stack? Will the exploit work? I
don't think so.  Toucheé!!!

>> That is the reason some
>> IPS/IDS can easily add signatures.

> Well, actually shellcode signatures are common, but they are not the reason.
>
> And, signature based IPS/IDS have so many faults that you don't really
> need polymorphic (shell)code to fool them.

Correct! But, if you can do it with an extra elegance, it is better, isn't it?

>> Now, we know how we must build the exploit, and I think we can do a great
>> job randomizing all the fields. Here are the fields ENG needs to deal with:
>> attack vector, buffer, return address, jumps, writable address, nops, and
>> shellcode.

> This is what most of us would call "obfuscating an attack", or "mutating
> an attack". Just so that you know, a tool named SPLOIT was already made
> to perform a number of mutations over exploits (at this and other levels).

Forgive me, I used knew this tool, but never took a look on that.

But here is the question: does it use the same techniques described in
this document?

I really don't think so, even because in the authors papers about
SPLOIT, btw a great tool, they don't describe any of the ENG
techniques.

Never mind, I'll figuret out. Thanks.

> Thanks for the write up. It's an handy cheat sheet for some things.

You're very wellcome, anytime!

But, in fact, I think you din't like that much and you were too much
critic in your statements, but I can guarantee that I'm not sending
any fake-exploit or any "copied-pasted" document. 8-D

This second moderation is really appreciated, because I can expose
much more the ideas behind any misunderstood, and there were too many
just from you, sir.

>> I do hope I could proof all the concepts behind this idea,

> Yep, well, you could just mention them. We already knew them ;-)

Oh, really? I can give any credits, you only should proof that I've
wrote seomthing "copied-pasted" from SPLOIT project. 8-P


> And, I don't see how these have to do with making a Warhol worm more
> dangerous. Signature-based systems will never be useful against a Warhol
> worm in any case, because the updates will simply be too late.

Again, a "Flash Worm", and that is the real category of Slammer, and I
presume "you already know", can be stealth, and what is the best way
to have a stealth worm? Shouldn't be a unpredictable one?

> SZ

-nb (I'll keep it in lower-case)

Powered by blists - more mailing lists