Best IT Recipes

How does the NOP sled work?

I tore my head and did not find a good source that answers this question. I know that nop sled is a method used to bypass stack randomization in a buffer overflow attack, but I cannot figure out how this works.

What is a simple example illustrating this method?

What do terms like 128-byte nop sleds mean?

+52
c assembly stack nop buffer-overflow
Feb 07 '13 at 20:41
source share
2 answers

Some attacks are that the program goes to a specific address and continues to work from there. The code you enter must have been downloaded earlier in some way at this exact location.

The randomization of the stack and other differences in runtime can make the address at which the program will jump impossible to predict, so an attacker puts NOP wipes in a large memory range. If the program jumps anywhere in the sled, it will launch all the other NOPs without doing anything, and then run the payload code, next to the sled.

The reason an attacker uses NOP wipes is to make the destination address larger: the code can jump anywhere on the slide, and not exactly at the beginning of the entered code.

A 128-byte NOP sled is just a group of 128-byte wide NOP schemes.

NOTE # 1: NOP (No-OPeration) is an instruction available in most (all?) Architectures that does nothing but occupy memory and some runtime.

NOTE # 2: In architectures with variable-length instructions, the NOP instruction is usually only one byte long, so it can be used as a convenient complement to commands. Unfortunately, this also facilitates the implementation of the NOP sled.

+63
Feb 07 '13 at 20:47
source share
— -

Since I cannot answer, add Rodrigo to the explanation. Even with NOP slides, the approximate location of the buffer in memory must be predicted in advance. One method for approximating a memory location is to use a neighboring stack location as a coordinate system. Subtracting the offset from this location, you can get the relative address of any variable.

SIDENOTE: in the x86 architecture, the NOP instruction is equivalent to the hexadecimal byte 0x90, so a full exploit buffer might look something like this:

| NOP sled | Sericulture | Repeated Return Address |

Upon seeing that the EIP register points to any address found on the NOP sled, it will increase each time the NOP instruction is executed, one at a time, until it finally reaches the shellcode

0
Nov 03 '17 at 20:33
source share


More articles:


All Articles