POSTED BY: dimitris / 04.06.2010

Context keyed payload encoding - AthCon 2010 update

AthCon 2010 is now over and I must say that I’m really looking forward to next year’s event! Kudos to Christian, Kyprianos, Fotis, Chariton, Bernardo, Sandro, Iftach, Corrado, Rodrigo, Alberto and everyone else for making this such a great event!

The main theme of my presentation was “Context-keyed payload encoding”, a shellcode encoding technique that allows attackers to evade detection from NIDS that employ dynamic payload analysis.

The presentation covered the state-of-the-art in NIDS and Context-keying and featured Metasploit implementations for:

  • a CPUID-based context-keyed payload encoder
  • a time(2)-based context-keyed payload encoder
  • a novel stat(2)-based context-keyed payload encoder

Below you may find the relevant whitepaper, presentation slides and Metasploit patch:

  • Presentation whitepaper (pdf)
  • Presentation slides (pdf)
  • Metasploit patch (diff)

A usage example of the new payload encoders can be found in the whitepaper.

Update: The 3 encoders are now part of the Metasploit Framework (revision #9457). Many thanks to HD Moore and Joshua Drake!