GEN:SID | 1:648 |
Message | SHELLCODE x86 NOOP |
Summary | A series of NOP instructions for Intel's x86 architecure was detected.
|
Impact | As part of an attack on a remote service, an attacker may attempt to take advantage of insecure coding practices in hopes of executing arbitrary code. This procedure generally makes use of NOPs.
|
Detailed Information | The NOP allows an attacker to fill an address space with a large number of NOPs followed by his or her code of choice. This allows "sledding" into the attackers shellcode.
|
Affected Systems | All x86 based systems
|
Attack Scenarios | If a particular service was written using unsafe functions without bounds checking (strcpy(), strcat(), sprintf() etc...), it is possible to write arbitrary data to the address space of the service. Normally, this may just cause the program to die a horrible death. However, if you can get the return address to point to the beginning of the newly written data, it is possible to execute code of your choice. This requires that the newly written data is actual executable data. Since calculating exactly where the return address may point to is no small task, a popular technique is to pad the space leading up to your shellcode with NOPs. This way, if the return address points anywhere in the series of NOPS, execution will slide down into your shellcode.
|
Ease of Attack | Not-so trivial. This particular technique requires a knowledge of x86 assembly coding, memory, and usually an intimate understanding of the code that one is attempting to exploit. Unfortunately, there are hundreds upon hundreds of canned exploits that nearly anyone with the ability point-and-click can use and wreak havok with.
|
Corrective Action | Determine if this NOP was part of an attack or simply part of an innocent stream of data.
|
Additional References | |
Rule References | arachnids: 181
|