Infoz Who: Hackers like you. What: ToorCon 9 When: October 19th-21st, 2007 Where: San Diego Convention Center Why: What could possibly go wrong?

Context-keyed Payload Encoding

A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing the attack traffic somewhere along the route from an attacker to target application, filtering on commonly used payload instructions. More often than not, however, payload encoders are easily detected themselves and either decoded or blocked. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may exploit the inherent functionality of the decoder stub to decode a suspected exploit's payload in order to inspect the contents of that payload and make a control decision about the traffic. This presentation introduces a new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic, however, should be unable to decode the payload due to lack of the contextual keying information.