Countermeasures 363Since we zero out these registers before we use them, we can safely use a
random combination of these bytes for the NOP sled. Creating a new exploit
tool that uses random combinations of the bytes @, C, A, B, H, K, I, and J instead
of a regular NOP sled will be left as an exercise for the reader. The easiest
way to do this would be by writing a sled-generation program in C, which is
used with a BASH script. This modification will hide the exploit buffer from
IDSes that look for a NOP sled.0x690 Buffer Restrictions
Sometimes a program will place certain restrictions on buffers. This type of
data sanity-checking can prevent many vulnerabilities. Consider the following
example program, which is used to update product descriptions in a fictitious
database. The first argument is the product code, and the second is the
updated description. This program doesn’t actually update a database, but it
does have an obvious vulnerability in it.update_info.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define MAX_ID_LEN 40
#define MAX_DESC_LEN 500
/ Barf a message and exit. /
void barf(char message, void extra) {
printf(message, extra);
exit(1);
}
/ Pretend this function updates a product description in a database. /
void update_product_description(char id, char desc)
{
char product_code[5], description[MAX_DESC_LEN];
printf("[DEBUG]: description is at %p\n", description);
Instruction Hex ASCII
inc eax 0x40 @
inc ebx 0x43 C
inc ecx 0x41 A
inc edx 0x42 B
dec eax 0x48 H
dec ebx 0x4B K
dec ecx 0x49 I
dec edx 0x4A J