GEN:SID | 1:1394 |
Message | SHELLCODE x86 NOOP |
Summary | This event is generated when an attempt is made to possibly overflow a buffer.
The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code.
|
Impact | This might indicate someone is trying to use a buffer overflow exploit.
Full compromise of system is possible if the exploit is successful.
|
Detailed Information | This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode.
|
Affected Systems | Any x86 programs.
|
Attack Scenarios | An attacker uses a buffer overflow exploit which contains the following payload:
90 90 90 90 90 90 90 90 90 90 /bin/sh
|
Ease of Attack | Simple.
|
Corrective Action | Apply a non-executable user stack patch to your kernel
Secure programming/execution of a program
Check the destination host and service to verify if any buffer overflow vulnerability exists.
|
Additional References | |