[Snort-sigs] SID 648

Warchild warchild at ...288...
Sat Mar 2 11:19:33 EST 2002

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP";
content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128;
reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;) 


A series of NOP instructions for Intel's x86 architecure was detected.

As part of an attack on a remote service, an attacker may attempt to
take advantage of insecure coding practices in hopes of executing
arbitrary code.  This procedure generally makes use of NOPs.

Detailed Information:
The NOP allows an attacker to fill an address space with a large
number of NOPs followed by his or her code of choice.  This allows
"sledding" into the attackers shellcode.

Attack Scenarios:
If a particular service was written using unsafe functions without
bounds checking (strcpy(), strcat(), sprintf() etc...), it is possible
to write arbitrary data to the address space of the service.
Normally, this may just cause the program to die a horrible death.
However, if you can get the return address to point to the beginning
of the newly written data, it is possible to execute code of your
choice.  This requires that the newly written data is actual
executable data.  Since calculating exactly where the return address
may point to is no small task, a popular technique is to pad the space
leading up to your shellcode with NOPs.  This way, if the return
address points anywhere in the series of NOPS, execution will slide
down into your shellcode.

Ease of Attack:
Not-so trivial.  This particular technique requires a knowledge of x86
assembly coding, memory, and usually an intimate understanding of the
code that one is attempting to exploit.  Unfortunately, there are
hundreds upon hundreds of canned exploits that nearly anyone with the
ability point-and-click can use and wreak havok with.

False Positives:
Many. The x86 NOP can frequently be found in day-to-day traffic,
particularly when transfering large files. 

False Negatives:
Few.  There are other techniques to emulate a NOP.  Additionally, if
the attackers NOP sled is small enough (< 15), this particular attack
may slip by.  Fortunately, NOP sleds are generally quite large.

Corrective Action:
Determine if this NOP was part of an attack or simply part of an
innocent stream of data.

Jon Hart <jhart at ...289...>

Additional References:
(aleph1's classic article from Phrack?)

More information about the Snort-sigs mailing list