For this example, we choose to relocate buf to the opposite side of variables i and
j. To do this, we need enough additional space to hold buf and leave i and j in their original
locations. The modified prologue is shown in the following listing:
; mutated assembly prologue for badCode
badCode:
push ebp
mov ebp, esp
sub esp, 520
The resulting mutated stack frame can be seen in Figure 19-4, where we note that the
mutated offset to buf is [ebp-520].
The final change required to complete the mutation is to locate all references to [ebp-
256] in the original version of badCode and update the offset from ebp to reflect the
new location of buf at [ebp-520]. The total number of bytes that must be changed to
effect this mutation is one for the change to the prologue plus one for each location that
references buf. As a result of this particular mutation, the attacker??™s 264-byte overwrite
falls far short of the return address she is attempting to overwrite. Without knowing the
Chapter 19: Closing the Holes: Mitigation
491
PART IV
Figure 19-3
Original stack
layout
Gray Hat Hacking: The Ethical Hacker??™s Handbook
492
layout of our mutated binary, the attacker can only guess why her attack has failed,
hopefully assuming that our particular application is patched, leading her to move on to
other, unpatched victims.
Pages:
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863