How hackers bypass IDS for Buffer Overflow

How hackers bypass IDS for Buffer Overflow

As a heavyweight product of enterprise security protection, IDS naturally becomes a target for hackers to crack. It turns out that bypassing IDS protection is completely feasible. The next article will explain how hackers can bypass IDS through buffer overflow during attacks.

The main method for NIDS to detect remote buffer is to determine whether the data packet content includes/bin/sh or whether it contains a large number of NOP. For IDS, some NOP of the overflow program should be replaced by eb 02. However, this method has also become a symbol for NIDS to detect whether it matches Buffer Overflow.

However, Mr. k2 wrote a program named "ADMmutate" for shellcode encryption, and used the technology named "multi-form code" to enable attackers to potentially change the code structure to cheat many intrusion detection systems, but it won't destroy the initial aggressive program. The overflow program can be changed once it is changed, and because of the dynamic change technology, the shellcode in disguise is different each time, originally, NIDS used to detect alarms by extracting the pattern of the Public overflow program. After the pattern changed, it can bypass IDS.

The shellcode format before camouflage is: [nnnnnnnnnnnnnnn] [SSSS] [RRRR]

The disguised shellcode format is [nnnnnnnnn] [dddd] [ssss] [rrrr].

Where: N indicates NOP, S indicates shellcode, R indicates the return address, n indicates the encoded NOP, d indicates the decoder, s indicates the encoded shellcode, and r indicates the return address.

The shellcode disguised by ADMmutate can escape most NIDS that use pattern matching and use string matching! However, if NIDS still depends on the length, printable characters, and so on, ADMmutate still cannot escape NIDS monitoring. However, the length and printable characters may not be accurate, this can cause IDS leakage or false positives. However, for NIDS that use pattern matching, it is still only possible to simply determine the length!