[Delete This Thread] Confused by NOP slides

I don’t get NOP slides whatsoever. How is it possible to dump an infinite amount of NOPs into the stack and not overflow into the shellcode you just put down as well?

Not to mention if you can’t figure out where the shellcode is and need the slide, how did you overflow it to that address in the first place?

Generaly when going for a buffer overflow you follow some basic steps:

  1. Input a big amount of "A"s or w/e to the vulnerable input and study the stack.
  2. Find the position, where the instruction pointer is written.(with tools)
  3. Find a place, large enough to store your reverse shell, AND some NOPS before it.
    So, you need to have someplace where your code and nops can fit.
    You also need some other pointer to point to the beginning of your payload(eax, esp,…etc)

For example, lets say that you can write data to eip, AND to eax, AND eax has enough space.

So the logic is: overwrite eip(instruction pointer), and make it point to somewhere in the program where it THEN JUMPS to eax(j eax). (Ofcourse in the same input you have studied the offset needed to write to eax.)

I am not 100% how this works, but when the program reads the input, it does some procedures in order to de-encrypt the payload ( at payload generation you used shikata-ga-ani etc…), so there might be a possibility that your payload loses the initial bytes, thus making the payload fail.
That is the reason why NOPS are needed.

“Not to mention if you can’t figure out where the shellcode is”

You know roughly where it is but some different environment variables and stuff like that, might move the address. So the NOP sledge is a very conservative approach to where it is.

It’s exactly like when a friend tells you he will phone you tonight after the news. You don’t know if he’ll call you at 20:15:43 or 20:16:01 but you want to be available a bit before and probably be around at 20:14 onwards: that’s the NOP sledge.

Type your comment> @lebutter said:

“Not to mention if you can’t figure out where the shellcode is”

You know roughly where it is but some different environment variables and stuff like that, might move the address. So the NOP sledge is a very conservative approach to where it is.

It’s exactly like when a friend tells you he will phone you tonight after the news. You don’t know if he’ll call you at 20:15:43 or 20:16:01 but you want to be available a bit before and probably be around at 20:14 onwards: that’s the NOP sledge.

I had started doing Protostar (Loading...) last night and got through the first few examples very easily. Simple find the offset, find address of function, and then overflow with a call to the address.

So this is where I’m now stuck trying to figure out the purpose of NOP sleds. It seems like you do know the address unless these are just super-simplified in a way I dont yet understand?

Huge thank you to @sparkla for clearing up the questions I had

@LMAY75 said:

So this is where I’m now stuck trying to figure out the purpose of NOP sleds. It seems like you do know the address unless these are just super-simplified in a way I dont yet understand?

Usually, you won’t know the exact location of the shellcode, and can only guess an approximate location. So, you add many NOPs in-front, to slide into the actual shellcode (without triggering SIGILL/SIGSEGV/etc.)
Nowadays, you usually have some kind of leak which allows to calculate the exact location and/or need to ROP, anyways. So, you usually don’t need those anymore.