A device used to increase the success rate of a
buffer overflow attack when an exact location in memory cannot be calculated
When exploiting a
buffer overflow to execute inserted code, it is not always possible to know exactly where the buffer (and therefore the
malicious code) is in memory, meaning that the new return address may not actually point to the inserted code. However, if the inserted code is large enough, the return address will probably point to some part of it.
So, if we pad the start of the code with instructions that do nothing relevent to the program (
NOP,
LDI, etc.), then it's likely that the processor will jump to somewhere in this
landing zone, and proceed through it doing nothing of interest until it gets to the inserted code proper.
The most successfull landing zone is one constructed of single word instructions, so there is no chance of the processor jumping to (and executing) an operand with unpredictable results. Unfortunately, packets full of (
NOPNOPNOPNOPNOPNOP) are a dead
giveaway to
intrusion detection systems, which can filter out the packet and alert the administrator.
The concept of a landing zone was first published in Aleph One's smashing the stack for fun and profit.