Looking for a NOP alternative in an alphanumeric form in order to test a buffer overflow through an IDS. The IDS will encode non-alphanumeric values such as 0x90 to %90 to meet HTTP RFC standards hence the reason to instead try an alphanumeric iteration. An alphanumeric payload has been created but the exploit code uses memset and 0x90 to fill the buffer. Exploit code here.
The page here provides some multi-byte options but I am not sure how to replace the NOP byte (around line 147) with something like x0f\x1f\x00 or anything else that might provide a sled for the payload in the code referenced above. Any recommendations?
Here’s a great site listing all sorts of ASCII assembly instructions (including ASCII nops), if you’re curious. Using these instructions, you can construct entire programs that consist of only ASCII characters. In the context of black hat work, these instructions are very handy for getting around intrusion detection systems and text filters.
For example, the sequence
ABCDEFGIJKLMNOis an x86 no-op, despite basically looking like an alphabetical sequence. Furthermore, if you don’t care about trashing certain registers, you can create sequences of ASCII instructions which do nothing more than increment or decrement those registers.If you’re trying to build a nop-sled using these multibyte nops, be aware that (AFAIK) it’s not possible to make a true nop-sled without using
nopwhich can be entered at any byte offset and still perform a precise no-op. However, using a pair of instructions likeAI(inc ecx; dec ecx) is safer than using a multibyte NOP sequence since the sequence just trashes a register if entered at the wrong offset (whereas a multibyte NOP might cause an illegal instruction exception or do something unexpected).Anyway, here’s how you can, in general, replicate any multibyte sequence across a buffer in C (provided
sizeof(buffer)is a multiple of the op length):