buffer overflows and stack alignment

[Oleg Kolesnikov <digiwind () hotmail com>]

Hi All,

I've been playing around with stack alignment to use multi-byte noops in exploits. I'd like to get some opinions.

Currently, most exploits use single-byte instructions in noop sleds. It can be a problem, particularly for polymorphic 
exploits, e.g. 55/256, sled detection etc.

Multi-byte instruction sleds have been thought of before but most people seem to think it is not worth the trouble 
(kudos to the phrack guys for their recursive noop generator heheh ;). 

When aleph1 wrote its article many of us learned from, p3 with its SIMD/SSE, XMM*, and 16-byte stack alignment was not 
in the picture yet. :)

Anyway, I've been able to generate exploits with fault-safe multiple-instruction noops successfully using 4-byte 
alignment property on x86 (save m/r,r/m and a few other x86 types that may cause exceptions, most 4-byte instructions 
seem to work just fine for noops). 8,12, and 16 seem to be attainable as well.

Even if the exploit data is copied somewhere other than the start address of the buffer, the offset from the beginning 
should be known to the developer, so the initial alignment (offset & 0xf) bytes can be 1-byte nops.

How reliable is this alignment property? The fact that it works on my machine does not mean it'll work on MOST systems. 
I mean, -mpreferred-stack-boundary is always there, but how often are the defaults changed?

If there a safe assumption in terms of the DEFAULT alignment with gcc/ms on x86 and on other platforms, what would it 
be?

Oleg
---
GATech, Atlanta