Ask and you shall receive (Part 2)


This article is the second part from the "Ask and you shall receive" series. Almost a month ago I received a comment from tborland1 and he/she was kind enough to explain to me that the first article had nothing to do with bypassing IPS/IDS devices, which by the way is true. But it did explain about rapid payload delivery and it did mention that the fragroute tool (and some other tools) can be used to bypass this type of devices, so in this article I will show more specifically how to bypass the Symantec Endpoint IPS/IDS software. But the most important is that I did explain from scratch the underlying technologies and the basic concept, which by the way is that a buffer overflow is a simple string just like an SQL injection string and that you can manipulate that sting to do WHAT EVER YOU WANT with it.

But before I start talking about the buffer overflow obfuscation I will talk first about the different stages a buffer over flow goes before reaching the target machine. So lets talk first about the structure of the buffer overflow structure and the TCP/IP stages (I am reminding you that the buffer overflow is the one mentioned in Part 1).

Attack Description

Before the buffer overflow string reaches the target machine would have first to go through the TCP/IP stack then the operating system and then reach the vulnerable application. In our case the Buffer Overflow string mention is the one in the first part. In order to start testing the attack pattern we would test the vulnerable application to see if it is still working and then move on. So what we want to do with our scenario is as shown below:

Note: Check out that the shell is a reverse shell and that there is the Host IPS filtering the TCP/IP encoding and the Ftp application handling of our buffer. Where host based IPS is the Symantec software version 12.

The Buffer Overflow structure

As already mention a traditional buffer overflow (a no ROP based buffer overflow) looks like this (the buffer overflow structure shown below is based on Free Float Ftp v1 buffer overflow explained in the previous article):

  • About the red sections:
Now notice that the red sections (the Junk sections) consist from random characters that are used for positioning the EIP address in the right place.Usually Junk sections when taken from published exploits contain long sequences from A's or B's or chunks of the same character. If you want to by pass any type of buffer overflow you have to replace the Junk section with a random character sequence, if you do not do that the IPS/IDS heuristic features will flag the string as a buffer overflow and block/detect it.
  • About the orange sections:
The orange sections can not be changed easily because this sections are very important for proper execution of the exploit, but you can use different types of encoding or maybe other means of mutating them, which we will see later on.
  • About the Aqua section:  
Also the aqua sections can not be changed easily because this sections are very important for sliding to the proper position (meaning the EIP) for executing the exploit, we will try to use different types of encoding or maybe other means of mutating them. Usually all decent exploit block strange sequence of NOPS. NOPing a buffer overflow is typical for running properly the exploit.
  • About the Green section: 
Again the green sections are also important to properly executing the payload. But we can use the msfencode utility to try and execute the buffer overflow again.

The TCP/IP Stack structure

During the experiment we will manipulate the stack to deceive the host based IPS, more specifically we will focus in only two layers the TCP and the IP layer. The following schema show the layers we will play with: 

Note: Using fragroute we will alter some TCP and IP fields to bypass the Symantec endpoint software.

The Tools for obfuscating the Buffer Overflow String

The tools I am going to use to manipulate the Buffer Structure are allocated in the Metasploit suite or are manual. More specifically I am going to use:
  1. msfencode
  2. msfpayload
  3. msfvenom
  4. pattern_create.rb
  5. Manual Encoding
Note: The tools mentioned above, as already mentioned, are all located in the Metasploit suite and are going to help us make the Buffer Overflow string look more random. 

The Tools for obfuscating the Buffer Overflow for the stack

This Fragroute helps the pentester to intercept, modify and rewrite the egress traffic according to the rules defined in the configuration file. By simply modifying the configuration file located at '/etc/fragroute.conf' with the following default values you can attempt to bypass your targeted IPS/IDS:

tcp_seg 24
ip_frag 64 tcp_chaff paws

The fragroute tool creates a route to the server you target and all your traffic passes through fragroute - no need to configure proxy in web browsers (if you are targeting a web server).

This configuration goes in the conf file /pentest/scanners/fragroute-1.2/fragroute.conf and the command would be:

bt ~ # fragroute -f /pentest/scanners/fragroute-1.2/fragroute.conf xxx.xxx.xxx.xxx

Note: After the command is executed, just browse to the site and your traffic will be fragged!Another technique can be used in conjunction with fragroute is gzip encoding for evasion purposes.

About the Symantec Antivirus software

The following text is an extract from Mr Vikram Kumar hosted on Symantec official web site:

"Symantec Endpoint Protection IPS system is the best IPS available anywhere!  I explained Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 32,000 recorded vulnerabilities (spanning more than two decades) affecting more than 72,000 technologies from more than 11,000 vendors.You can also create your own IPS rules for your specific requirement."

Note: So you get the picture that if I bypass the HIPS of Symantec I would have defeated the worlds best HIPS.

About the Symantec intrusion prevention sub system

The following text extract was taken from the Symantec administration guide:

"The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The IPS is a network-based system that operates on every computer on which the client is installed and the intrusion prevention system is enabled. If a known attack is detected, one or more intrusion
prevention technologies can automatically block it.

The intrusion prevention system scans each packet that enters and exits computers in the network for attack signatures. Attack signatures are the packet sequences that identify an attacker’s attempt to exploit a known operating system or program vulnerability.

If the information matches a known attack, the IPS automatically discards the packet. The IPS can also sever the connection with the computer that sent the data for a specified amount of time. This feature is called active response, and it protects computers on your network from being affected in any way. The client includes the following types of IPS engines that identify attack signatures."

The Methodology

What I will do in this article is that I am going to focus in two different things:
  1. The TCP/IP Obfuscation (for handling the antivirus/antispyware)
  2. The Buffer Overflow Obfuscation (for handling the HIPS)
Note: I will also describe how Symantec Endpoint Protection works, the network driver types it is using and how to write a costume IPS signature to block the modified buffer overflow.


This post is getting bigger and bigger so I will brake it to a third part hope you enjoy when is finished.

To be continued...

  1. http://www.darkreading.com/security/news/208804734/how-to-bypass-the-ids-ips.html
  2. http://ethicalhackernet.blogspot.gr/2009/06/bypassing-ips-penetration-tester.html
  3. http://www.indepthdefense.com/2009/08/originally-posted-on-httppauldotcom.html
  4. http://www.shell-storm.org/papers/files/270.pdf
  5. http://etutorials.org/Networking/network+security+assessment/Chapter+4.+IP+Network+Scanning/4.4+IDS+Evasion+and+Filter+Circumvention/
  6. http://www.monkey.org/~dugsong/fragroute/fragroute.8.txt
  7. http://www.symantec.com/connect/blogs/connect-and-protect-symantec-endpoint-protection-always-winner 
  8. ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/administration_guide.pdf