Explore advanced techniques for evading Intrusion Detection Systems (IDS) when designing buffer overflow exploits in this 40-minute Black Hat Europe 2001 conference talk by Anders Ingeborn. Delve into concepts such as mismanaged bounds checks, size restrictions, and double injection methods. Learn how to find socket descriptors, calculate return addresses, and handle function calls effectively. Examine practical scenarios, including server exploitation through initial and secondary payloads. Gain insights into restoring internal registers, understanding the benefits of these techniques, and potential IDS countermeasures. Enhance your knowledge of exploit development and security vulnerabilities while considering the ethical implications and defensive strategies against such attacks.
IDS Evasion Design Tricks for Buffer Overflow Exploits
Overview
Syllabus
Intro
Brief reminder
Simple illustration
Mismanaged bounds check
Size restrictions?
250 bytes example
Another design concept
Double injection
How to find descriptor
"Might" be possible?
Correct return address?
Pop another frame
Situation #1 illustrated
Calculate return address
Function calls
Why do they look like this?
Clean return requirement
Server
Initial injection
First payload
Find socket descriptor
Using the socket
Second payload
Still using the same socket
Finding return address
Code
Restore internal registers
Summary
Benefits
IDS Countermeasures
Other countermeasures
Questions?
Taught by
Black Hat
