No matter how random the stack may
appear, if you have a register pointing to your shellcode and a corresponding
jump to that register, you will be immune to stack address variations.
??? When no jump register instruction can be located, and when confronted with a
randomized stack, remember that with sufficient patience on your part the
stack will eventually randomize to a location for which your chosen return
address works. Unfortunately, this may require a tremendous number of exploit
attempts in order to finally succeed.
??? Larger NOP slides make easier targets but are easier to spot from an intrusion
detection point of view. The larger your NOP slide is, the more likely you are to
survive small shifts in the stack and the greater chance you stand of have the
address space randomize to your NOP slide. Remember, whenever using NOPs,
it is a good idea to generate different strings of NOPs each time you run your
exploit. A wide variety of one-byte instructions can be used as effective NOPs. It
is even possible to use multibyte instructions as NOPs if you carefully choose
the second and successive bytes of those instructions so that they in turn
represent shorter NOP sequences.
??? For local exploits, forget about returning into stack-based buffers and return
into an argument string, or better yet, an environment variable.
Pages:
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824