The second defense attempts to capitalize on the null-termination problem
for many buffer overflows. In this case, the loader attempts to place libraries in the first
16MB of memory because addresses in this range all contain a null in their most significant
byte (0x00000000??“0x00FFFFFF). The problem this presents to an attacker is that
specifying a return address in this range will effectively terminate many copy operations
that result in buffer overflows.
References
Solar Designer, ???Getting Around Non-executable Stack (and Fix)??? www.securityfocus.com/
archive/1/7480
Nergal, ???Advanced Return into libc Exploits??? www.phrack.org/phrack/58/p58-0x04
Payload Construction Considerations
Assuming your efforts lead you to construct a proof of concept exploit for the vulnerable
condition you have discovered, your final task will be to properly combine various elements
into input for the vulnerable program. Your input will generally consist of one or
more of the following elements in some order:
??? Protocol elements to entice the vulnerable application down the appropriate
execution path
??? Padding, NOP or otherwise, used to force specific buffer layouts
??? Exploit triggering data, such as return addresses or write addresses
??? Executable code, that is, payload/shellcode
Chapter 18: From Vulnerability to Exploit
475
PART IV
Gray Hat Hacking: The Ethical Hacker??™s Handbook
476
If your input is not properly crafted, your exploit is not likely to work properly.
Pages:
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833