There are interesting articles on overcoming buffer overflow detectors in this issue. However a technique they do not discuss runs something like this: Instrument the program loader so that instead of simply relocating subroutine entry points, it makes up its own code to insert jacket calls around them (and supporting tables of course). The jacket call would bump a depth counter, call the originally called subroutine, and arrange that its return should be a fixed address. At the fixed address (used for easy recognizing on stack ;-) ) the jacket routine decrements the depth counter and returns. (Some complexity around different types of RET instructions exists btw.) Now also set up some system calls that would be needed to do much harm to have a little instrumentation added also. The instrumentation would be to look at the depth counter and make sure there are that many copies of the magic fixed address return on the stack. Since the jacket routine puts them there, this should be the case, and one needn't bother too much over whether BP is used as a frame pointer or not. If anything gets out of a routine called this way by clobbering a return address, the return address it would clobber would generally be one of the magic fixed address returns. Voila! Detection. Of course a rootkit aware of this could simply push a copy of the magic address onto the stack, and if you could get execution into your injected code without clobbering a return address, you would also avoid detection in this way. Such a scheme is not supernaturally intelligent. However it is a bit of defensive work that could be tried. Glenn Everhart -----Original Message----- From: phrack staff [mailto:rm@xxxxxxxxxxxx] Sent: Monday, July 12, 2004 9:12 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: phrack #62 has been released Hi, Tue Jul 13 00:58:42 UTC - PHRACK #62 HAS BEEN RELEASED. *** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG **** *** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG **** *** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG **** PHRACK MAGAZINE is one of the longest running electronic magazines in existence. Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available to the public, as often as possible, free of charge. __^__ __^__ ( ___ )-------------------------------------------------------------( ___ ) | / | 0x01 Introduction phrackstaff 0x08 kb | \ | | / | 0x02 Loopback phrackstaff 0x05 kb | \ | | / | 0x03 Linenoise phrackstaff 0x21 kb | \ | | / | 0x04 Phrack Prophile on scut phrackstaff 0x0b kb | \ | | / | 0x05 Bypassing Win BO Protection Anonymous 0x25 kb | \ | | / | 0x06 Kernel Mode Backdoor for NT firew0rker 0x81 kb | \ | | / | 0x07 Advances in Windows Shellcode sk 0x31 kb | \ | | / | 0x08 Remote Exec grugq 0x3b kb | \ | | / | 0x09 UTF8 Shellcode greuff 0x32 kb | \ | | / | 0x0a Attacking Apache Modules andi 0x5e kb | \ | | / | 0x0b Radio Hacking shaun2k2 0x36 kb | \ | | / | 0x0c Win32 Portable Userland Rootkit kdm 0x48 kb | \ | | / | 0x0d Bypassing Windows Personal FW's rattle 0x59 kb | \ | | / | 0x0e A DynamicPolyalphabeticSubstitutionCipher veins 0x42 kb | \ | | / | 0x0f Playing Cards for Smart Profits ender 0x1a kb | \ | | / | 0x10 Phrack World News phrackstaff 0x55 kb | \ | |___|_____________[ PHRACK, NO FEAR & NO DOUBT ]_________________|___| (_____)-------------------------------------------------------------(_____) ^ ^ Enjoy the magazine! Phrack Magazine Vol 11 Number 62, Build 2, Jul 13, 2004. ISSN 1068-1035 Contents Copyright (c) 2004 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without the prior written permission from the editors. Phrack Magazine is made available to the public, as often as possible, free of charge. |=-----------=[ C O N T A C T P H R A C K M A G A Z I N E ]=---------=| Editors : phrackstaff@xxxxxxxxxx Submissions : phrackstaff@xxxxxxxxxx Commentary : loopback@xxxxxxxxxx Phrack World News : pwn@xxxxxxxxxx Note: You must put the word 'ANTISPAM' somewhere in the Subject-line of your email. All others will meet their master in /dev/null. We reply to every email. Lame emails make it into loopback. |=-----------------------------------------------------------------------=| Submissions may be encrypted with the following PGP key: (Hint: Always use the PGP key from the latest issue) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) mQGiBD8t3OARBACWTusKTxboeSode33ZVBx3AlgMTQ8POA+ssRyJkyVVbrruYlLY Bov43vxEsqLZXrfcuCd5iKKk+wLEjESqValODEwaDeeyyPuUMctrr2UrrDlZ2MDT f7LvNdyYFDlYzFwSc9sesrNQ78EoWa1kHAGY1bUD2S7ei1aEU9r/EUpFxwCgzLjq TV6rC/UzOWntwRk+Ct5u3fUEAJVPIZCQOd2f2M11TOPNaJRxJIxseNQCbRjNReT4 FG4CsHGqMTEMrgR0C0/Z9H/p4hbjZ2fpPne3oo7YNjnzaDN65UmYJDFUkKiFaQNb upTcpQESsCPvN+iaVkas37m1NATKYb8dkKdiM12iTcJ7tNotN5IDjeahNNivFv4K 5op7A/0VBG8o348MofsE4rN20Qw4I4d6yhZwmJ8Gjfu/OPqonktfNpnEBw13RtLH cXEkY5GY+A2AapDCOhqDdh5Fxq9LMLKF2hzZa5JHwp6HcvrYhIyJLW8/uspVGTgP ZPx0Z3Cp4rKmzoLcOjyvGbAWUh0WFodK+A4xbr8bEg9PH5qCurQlUGhyYWNrIFN0 YWZmIDxwaHJhY2tzdGFmZkBwaHJhY2sub3JnPohfBBMRAgAfBQI/LdzgBQkDFwQA BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC8vwVck0UfSeo1AJ42bPrG2L0Nlun1Fthn gYlx/9nUiACeJo5tMKlr/JcdKqeEfpNIm4GRmLq5Ag0EPy3dChAIALK9tVpuVImJ REXqf4GeR4RkxpAO+8Z2RolTgESW6FfJQcCM8TKeLuGWE2jGKGWKtZ68m+zxgYBK z+MOKFvlduktqQpyCJP/Mgdt6yy2aSEq0ZqD1hoqiGmoGdl9L6+VD2kUN6EjWCiv 5YikjgQaenSUOmZZR0whuezxW9K4XgtLVGkgfqz82yTGwaoU7HynqhJr7UIxdsXx dr+y7ad1clR/OgAFg294fmffX6UkBjD5c2MiX/ax16rpDqZii1TJozeeeM7XaIAj 5lgLLuFZctcWZjItrK6fANVjnNrEusoPnrnis4FdQi4MuYbOATNVKP00iFGlNGQN qqvHAsDtDTcABAsH/1zrZyBskztS88voQ2EHRR+bigpIFSlzOtHVDNnryIuF25nM yWV10NebrEVid/Um2xpB5qFnZNO1QdgqUTIpkKY+pqJd3mfKGepLhQq+hgSe29HP 45V6S6ujLQ4dcaHq9PKVdhyA2TjzI/lFAZeCxtig5vtD8t5p/lifFIDDI9MrqAVR l1sSwfB8qWcKtMNVQWH6g2zHI1AlG0M42depD50WvdQbKWep/ESh1uP55I9UvhCl mQLPI6ASmwlUGq0YZIuEwuI75ExaFeIt2TJjciM5m/zXSZPJQFueB4vsTuhlQICi MXt5BXWyqYnDop885WR2jH5HyENOxQRad1v3yF6ITAQYEQIADAUCPy3dCgUJAxcE AAAKCRC8vwVck0UfSfL/AJ9ABdnRJsp6rNM4BQPKJ7shevElWACdHGebIKoidGJh nntgUSbqNtS5lUo= =FnHK -----END PGP PUBLIC KEY BLOCK----- phrack:~# head -22 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of * the editors and contributors, truthful and accurate. When possible, * all facts are checked, all code is compiled. However, we are not * omniscient (hell, we don't even get paid). It is entirely possible * something contained within this publication is incorrect in some way. * If this is the case, please drop us some email so that we can correct * it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for * the entirely stupid (or illegal) things people may do with the * information contained herein. Phrack is a compendium of knowledge, * wisdom, wit, and sass. We neither advocate, condone nor participate * in any sort of illicit behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in * the articles of Phrack Magazine are intellectual property of their * authors. * These opinions do not necessarily represent those of the Phrack Staff. */ |=[ EOF ]=---------------------------------------------------------------=| ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
