Nop Sled,你能给我解释一下吗?
Nop Sled, can you explain it to me?
我一直在读这本书:Hacking, the art of exploitation
本书第 140 页解释了 Nop Slide:
We’ll create a large array (or sled) of these NOP instructions and place it
before the shellcode; then, if the EIP register points to any address found in
the NOP sled, it will increment while executing each NOP instruction, one at
a time, until it finally reaches the shellcode. This means that as long as the
return address is overwritten with any address found in the NOP sled, the EIP
register will slide down the sled to the shellcode, which will execute properly.
但是使用这种技术,我们会用 0x90 覆盖 return 地址,不是吗?。 EIP 将转到 0x90,导致段错误。
那么,你能给我解释清楚这个技巧吗?谢谢 :)
不,您不会用 NOP sled 重写 return 地址。一旦你得到正确的偏移量,你必须用地址重写 return 地址,它指向你的 NOP 指令中的某处。因为 NOP sled 位于您的 shellcode 之前,它会向下滑动并执行您的 shellcode。所以 60 字节长的 NOP sled 什么都不做。
这是因为(你可以在那本书中找到关于它的一切):
NOP is an assembly instruction that is short for 'no operation'. It is
a single-byte instruction that does absolutely nothing.
我一直在读这本书:Hacking, the art of exploitation
本书第 140 页解释了 Nop Slide:
We’ll create a large array (or sled) of these NOP instructions and place it before the shellcode; then, if the EIP register points to any address found in the NOP sled, it will increment while executing each NOP instruction, one at a time, until it finally reaches the shellcode. This means that as long as the return address is overwritten with any address found in the NOP sled, the EIP register will slide down the sled to the shellcode, which will execute properly.
但是使用这种技术,我们会用 0x90 覆盖 return 地址,不是吗?。 EIP 将转到 0x90,导致段错误。 那么,你能给我解释清楚这个技巧吗?谢谢 :)
不,您不会用 NOP sled 重写 return 地址。一旦你得到正确的偏移量,你必须用地址重写 return 地址,它指向你的 NOP 指令中的某处。因为 NOP sled 位于您的 shellcode 之前,它会向下滑动并执行您的 shellcode。所以 60 字节长的 NOP sled 什么都不做。
这是因为(你可以在那本书中找到关于它的一切):
NOP is an assembly instruction that is short for 'no operation'. It is a single-byte instruction that does absolutely nothing.