On Thu, Jan 10, 2002 at 06:34:38PM -0800, diphenat_private wrote: > I'm doing some work on parsing RPC protocols as part of my job, and I'm > wondering if I've come up with a previously-unknown way of evading IDS > for RPC-based attacks. i mentioned (and implemented) this about two years ago. Robert Graham subsequently fixed this in his NetworkICE product, not sure about others: http://archives.neohapsis.com/archives/ids/2000-q1/0007.html http://archives.neohapsis.com/archives/ids/2000-q1/0149.html > what if I split my attack into 5-byte chunks, with 4 bytes of Record > Marker between them? Theoretically (untested) a proper RPC > implementation on a system shouldn't have any trouble dealing with > this... yes, this works, if done properly. :-) > The fragmentation and insertion of RMs is only known to the RPC > implementation on the target machine. not true. there isn't really any ambiguity to exploit in simple RPC fragmentation, it's just more processing the monitor needs to do. -d. --- http://www.monkey.org/~dugsong/
This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 09:43:33 PST