Vulnerability Development: buffer overflows and stack alignment
buffer overflows and stack alignment
('binary' encoding is not supported, stored as-is)
Hi All,
I've been playing around with stack alignment to use multi-byte noops in exploits. I'd like to get some opinions.
Currently, most exploits use single-byte instructions in noop sleds. It can be a problem, particularly for polymorphic exploits, e.g. 55/256, sled detection etc.
Multi-byte instruction sleds have been thought of before but most people seem to think it is not worth the trouble (kudos to the phrack guys for their recursive noop generator heheh ;).
When aleph1 wrote its article many of us learned from, p3 with its SIMD/SSE, XMM*, and 16-byte stack alignment was not in the picture yet. :)
Anyway, I've been able to generate exploits with fault-safe multiple-instruction noops successfully using 4-byte alignment property on x86 (save m/r,r/m and a few other x86 types that may cause exceptions, most 4-byte instructions seem to work just fine for noops). 8,12, and 16 seem to be attainable as well.
Even if the exploit data is copied somewhere other than the start address of the buffer, the offset from the beginning should be known to the developer, so the initial alignment (offset & 0xf) bytes can be 1-byte nops.
How reliable is this alignment property? The fact that it works on my machine does not mean it'll work on MOST systems. I mean, -mpreferred-stack-boundary is always there, but how often are the defaults changed?
If there a safe assumption in terms of the DEFAULT alignment with gcc/ms on x86 and on other platforms, what would it be?
Oleg
---
GATech, Atlanta
Received on Mar 15 2004
|
Intro
