.

Exploit modification

<<

ccpik

User avatar

Newbie
Newbie

Posts: 20

Joined: Fri Nov 29, 2013 6:41 am

Post Thu Feb 06, 2014 10:46 am

Exploit modification

I got some excellent help regarding an exploit last week. My firewall was dropping all the packets as it was recognising the timestamp of the exploit. I changed the timestamp and the firewall then let it through.

My question next is what happens when you the firewall still recognises an exploit, but the exploit does not have a timestamp in its source code?

For example the ‘php_cgi_argument_injection does not have a timestamp. With exploits like this, what can be edited in the code to avoid firewall detection?
<<

dynamik

Recruiters
Recruiters

Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 11, 2014 11:11 am

Re: Exploit modification

Hah, that really was all it was looking for? I was curious how you came along with that. The longer you do stuff like this, the more you realize most signatures are complete garbage. Before mimikatz was integrated into Metasploit, I got it around SEP by simply importing math.h, calculating a few square roots, and recompiling it. SEP must have been doing an MD5 check or something else extremely rudimentary. I didn't expect that to work at all.

There is nothing unique about "timestamp" parameters in exploits. That was just how the signature was written for that specific exploit. It would have been much better for them to look for a request to that page that contained back ticks (``) since those are likely never used by the application but are required for command injection.

The best starting point for analyzing something like this is to perform a packet capture and observe what is actually getting sent across the wire. Once you have that information, you can start thinking about how someone would go about writing a signature for it.

A good signature should focus on unique characteristics of the malicious traffic in order to accurately identify an exploit attempt without generating false positives. In the exploit you were working with before, there was very little unique information included in the request, and a static timestamp immediately jumped out at me as signature material.

If you've never written IDS signatures before, spend some time with it to get an idea of how real signatures are actually put together. The official Snort manual is an excellent resource for doing this with Snort, and of course that's all free to use and play around with.

If you have access to the inline security control, you may be able to review the signature and see exactly what its doing. If you don't, see if there is a Snort signature for it, which you can at least use as a starting point. Another vendor's signature will likely be fairly similar.
The day you stop learning is the day you start becoming obsolete.
<<

ccpik

User avatar

Newbie
Newbie

Posts: 20

Joined: Fri Nov 29, 2013 6:41 am

Post Wed Apr 09, 2014 3:27 pm

Re: Exploit modification

Sorry, I thought I had replied to this. Yes that was all the firewall was looking for, worrying really! Your post was extremely helpful, it has now helped me on a few different occasions already
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 622

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Apr 09, 2014 6:14 pm

Re: Exploit modification

Off topic,

ccpik, but did you ever find the solution for Zeroaccess?
sectestanalysis.blogspot.com/‎

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software