[framework] mcafee Entercept
H D Moore
hdm at metasploit.com
Tue Oct 30 10:42:18 CDT 2007
There are a ton of ways to get around HIPS products like these,
unfortunately, as soon as we include them, the vendors will detect the
new method and work around it. Copying the shellcode to a different
segment before executing it bypasses a large chunk of these products
(they look for LoadLibrary with a return address on the stack, etc). If
you want a quick and dirty way to test this, set the 'Prepend' of the
chosen exploit to an assembly stub that copies the shellcode to a "good"
page (the .data of a DLL, some random memory mapping, etc).
A really good tool for testing HIPS implementations is SLIPFEST:
http://slipfest.cr0.org/
-HD
On Tuesday 30 October 2007, Weston, David G. wrote:
> There's a paper in Phrack 62 about evading third party
> buffer overflow protection and I have had some success with the
> technique of using a return address in the process space marked
> read-only for the final stack frame but does anyone having tricks to
> add
More information about the framework
mailing list