Sorry for not posting often. Actually.. I’m not sorry. I’m happy I’m not posting daily purely to have stuff up daily.
I aim to make posts whenever I find something interesting to share, simple or complex.
Today is complex simplicity!
NOP Sleds or NOP Slides.
previously recognized by the opcode 0×90, this has moved on and into bigger and more worldly ways.
Many of you have reviewed exploits and shellcode related to them and you always spot this extra bit of data that gets sprayed like “0x0c0c” or “0x0c0d” or “0x0a0a”. These sweet opcodes serve multiple purposes when used as part of a heap spray. They can facilitate return addresses for where your code should redirect the exploited EIP. They also double as a NOP sled.
I’ve entered these opcodes into a debugger over a blank .exe file with a series of 0×90 opcodes as a filler.
00401020 . 0A0A OR CL, BYTE PTR DS:[EDX]
00401022 . 0A0A OR CL, BYTE PTR DS:[EDX]
00401024 . 0A0A OR CL, BYTE PTR DS:[EDX]
00401026 . 0A0A OR CL, BYTE PTR DS:[EDX]
00401028 . 90 NOP
00401029 . 90 NOP
0040102A . 90 NOP
0040102B . 90 NOP
0040102C . 0C 0C OR AL, 0C
0040102E . 0C 0C OR AL, 0C
00401030 . 0C 0C OR AL, 0C
00401032 . 0C 0C OR AL, 0C
00401034 . 90 NOP
00401035 . 90 NOP
00401036 . 90 NOP
00401037 . 90 NOP
00401038 . 0C 0D OR AL, 0D
0040103A . 0C 0D OR AL, 0D
0040103C . 0C 0D OR AL, 0D
0040103E . 0C 0D OR AL, 0D
00401040 . 90 NOP
00401041 . 90 NOP
00401042 . 90 NOP
00401043 . 90 NOP
00401044 . 0D 0C0D0C0D OR EAX, 0D0C0D0C
00401049 . 0C 0D OR AL, 0D
0040104B . 0C 90 OR AL, 90
I’ve included the 0c0d and it’s inverted 0d0c variant to demonstrate how it would look if your alignment landed badly. The code corrects itself and will continue the slide.
The intention of a NOP sled is to do no operation yet retain control of EIP. This gives your exploit a larger surface area to land on when dealing with the heap and the difficulty to predict where your shellcode will end up.
The shellcode above shows WORD size nop sleds. The opcode up from the original 0×90 is also usable for a NOP sled. 0×91! This single byte opcode can be used when you know your alignment is out and you don’t care about the contents of EAX or ECX.
00401014 91 XCHG EAX, ECX
00401015 91 XCHG EAX, ECX
00401016 91 XCHG EAX, ECX
00401017 91 XCHG EAX, ECX
You would follow the NOP sled with corrective instructions like XOR EAX, EAX; XOR ECX, ECX. This would reset contents of the registers and clear any exchange of data between the two registers.
This is by no means a detailed look at NOP sleds but just something to open your eyes and so you can begin to understand what the extra code around the shellcode in an exploit is for.
There may be sections in this I might be incorrect about, but feel free to bombard the comments or DM me on twitter.