Rooting out Pure Alphanumeric Shellcodes

Abstract

Buffer overflows are very common attacks which are based on bad input sanitization and poor programming techniques which further results in compromise of the system. This research presents a distinct and effective way to exploit Buffer Overflow vulnerability using alphanumeric shellcode. Under this research a new buffer overflow exploitation technique devised as the problem formulation which renders every vulnerable window based executable in windows XP exploitable. It uses alphanumeric payload which can compromise the buffer overflows in a stealthier way than hexadecimal payload. Alphanumeric payload is made up of constant memory portions combined with alphanumeric shellcode which creates the exploits that are stealthy, effective and undetectable against advance detection systems. A major feature of such payloads is that they can directly be used as input to target executables which is a big problem. An alphanumeric shellcode has been provided in the exploit as the part of payload. Detection of such shellcodes is the prime problem solved in this research. Shellcode is a name given to a class of exploitation based codes which are delivered to a vulnerable machine in order to compromise them. It spawns a command shell after the exploitation of a system. With the shell in hand an attacker uses the operating system services of target machine itself to damage the victim. Over the years shellcodes have created a lot of trouble and there has been evolution of even more sophisticated shellcodes. Alphanumeric shellcodes are one of the advance forms of shellcodes which are used for evading the security fixtures. Alphanumeric transformation converts the shellcode to look like a string of alphanumeric characters which are not analyzed for maliciousness by any scanner, antivirus, firewall etc. In this research an effective approach for statistical detection of pure alphanumeric shellcodes has been discussed.