Title

Abstract

Exploit Next Generation (ENG++) introduces a different and powerful approach, which can be applied to almost all vulnerabilities, which targets the vulnerability trigger. So far none, or just few, research has been conducted addressing the vulnerability trigger.

ENG++ (pronounced /??n'j??n/ incremented) is neither a new obfuscation technique nor a new shellcode technique, instead, it is a methodology intended to change the behavior of exploit developers, and it provides a specific set of procedures for offering set based mutation of key aspects of an exploit to prevent simple Pattern Matching and ineffective Stateful Packet Inspection or Deep Packet Inspection by IDS and IPS solutions.

ENG++ works by deep analysis of a vulnerability and using all the acquired knowledge of this analysis to offer a variety of decision points targeting the actual triggering of the vulnerability (i.e., brand-new variants), rather than the shellcode that executes after the vulnerability. For ENG++ to be effective, it requires exploit developers to determine additional paths to execution beyond those that are available in a standard PoC or even in a standard Automated Penetration Testing Tool???s exploitation module.

For ENG++ to be effectively stopped, it requires that IDS and IPS vendors understand the traits of the vulnerability equally well, and can detect multiple paths of execution. In essence, it shows the frailty of signature based IDS and IPS solutions. If they are simply Pattern Matching, they will not match the pattern after mutation. If they are skipping paths to execution, their sigs will fail on the mutations. Only IDS and IPS solutions that are robust will catch all of the permutations."

Speaker