The NOP slide, or NOP sled, is a simple technique to cope with accuracy issue for the second unknown.
BUFFER OVERFLOW STACK CODE
The return address is absolute so it is not sufficient for the attacker to know the code of the attacked function the attacker must also know what is the stack depth at that moment, and this depends on previous application behaviour. In a traditional buffer overflow on the stack, the shell code is part of the data which triggers the overflow, i.e. The second unknown is the actual address of his shell code. The attacker must guess that, so as to know at which point in the attacker-provided data the "return address replacement" must be set. The first unknown is then: "what is the distance between the buffer (that is overflown) and the return address slot ?". The attacker wants to overwrite these bytes with another address, making the CPU jump into code written by the attacker. There are two "unknowns" that the attacker has to contend with.įirst, the attacker is overflowing a buffer, supposedly on the stack, and among the bytes which follow the buffer in RAM are the bytes which store the "return address" where execution jumps after the current function is finished. I tried not to make question overly clumsy and complicated (because of too much words) and I hope the question is clear. So if my shellcode begins with NOPs followed by the shellcode, how where and when exactly do I get to the return address (that should point to the NOPs>Shellcode)? In the slideshow it is said that the black area represents a NOPs area, which in turn leads ultimately to the shellcode, and only then do we see the return address.
The next picture is this (taken for a slideshow): What I don't understand is this: We basically aim to overwrite the return address, that in turn will point to the shellcode location - But this is not what I am seeing in the picture, all I see is "relative jumps" to NOP areas which ultimately lead to the shellcode - But what about the return address? Seems like it is being skipped. Then comes a relative jump to another NOPs section which lead to a jump to the shellcode memory address location. What it basically shows is that the shellcode comes at the beginning of the input, followed by NOPs. This is a picture from Wikipedia's "Buffer_Overflow".
Reading some articles and watching videos brought me to a confusion which can be demonstrated in these 2 pictures (which contradict each other unless I misunderstood something there). I am trying to dig deeper into the nuts and bolts a stack buffer overflow using the classical NOP-sled technique.
0 kommentar(er)
