Exploit modification

Viewing 4 reply threads
  • Author
    Posts
    • #8644
      ccpik
      Participant

      I got some excellent help regarding an exploit last week. My firewall was dropping all the packets as it was recognising the timestamp of the exploit. I changed the timestamp and the firewall then let it through.

      My question next is what happens when you the firewall still recognises an exploit, but the exploit does not have a timestamp in its source code?

      For example the ‘php_cgi_argument_injection does not have a timestamp. With exploits like this, what can be edited in the code to avoid firewall detection?

    • #53759
      dynamik
      Participant

      Hah, that really was all it was looking for? I was curious how you came along with that. The longer you do stuff like this, the more you realize most signatures are complete garbage. Before mimikatz was integrated into Metasploit, I got it around SEP by simply importing math.h, calculating a few square roots, and recompiling it. SEP must have been doing an MD5 check or something else extremely rudimentary. I didn’t expect that to work at all.

      There is nothing unique about “timestamp” parameters in exploits. That was just how the signature was written for that specific exploit. It would have been much better for them to look for a request to that page that contained back ticks (“) since those are likely never used by the application but are required for command injection.

      The best starting point for analyzing something like this is to perform a packet capture and observe what is actually getting sent across the wire. Once you have that information, you can start thinking about how someone would go about writing a signature for it.

      A good signature should focus on unique characteristics of the malicious traffic in order to accurately identify an exploit attempt without generating false positives. In the exploit you were working with before, there was very little unique information included in the request, and a static timestamp immediately jumped out at me as signature material.

      If you’ve never written IDS signatures before, spend some time with it to get an idea of how real signatures are actually put together. The official Snort manual is an excellent resource for doing this with Snort, and of course that’s all free to use and play around with.

      If you have access to the inline security control, you may be able to review the signature and see exactly what its doing. If you don’t, see if there is a Snort signature for it, which you can at least use as a starting point. Another vendor’s signature will likely be fairly similar.

    • #53760
      ccpik
      Participant

      Sorry, I thought I had replied to this. Yes that was all the firewall was looking for, worrying really! Your post was extremely helpful, it has now helped me on a few different occasions already

    • #53761
      SephStorm
      Participant

      Off topic,

      ccpik, but did you ever find the solution for Zeroaccess?

    • #181275
      tom0099
      Participant

      Are you sure you can get this robux for free,so search the more about information for robux how do you get robux for free i think you can easy to understand.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?