C语言 NOP 雪橇如何工作?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14760587/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How does a NOP sled work?
提问by amorimluc
I can't find a good source that answers this question. I know that a nop sled is a technique used to circumvent stack randomization in a buffer overflow attack, but I can't get my head around how it works.
我找不到一个很好的来源来回答这个问题。我知道 nop sled 是一种用于在缓冲区溢出攻击中规避堆栈随机化的技术,但我无法理解它是如何工作的。
What's a simple example that illustrates this method?
什么是说明此方法的简单示例?
What do terms like 128-byte nop sled mean?
像 128 字节 nop sled 这样的术语是什么意思?
回答by rodrigo
Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.
一些攻击包括使程序跳转到特定地址并从那里继续运行。注入的代码必须事先以某种方式加载到该确切位置。
Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.
堆栈随机化和其他运行时差异可能会使程序跳转的地址无法预测,因此攻击者将 NOP 雪橇放置在大范围内存中。如果程序跳转到雪橇的任何位置,它将运行所有剩余的 NOP,什么都不做,然后将运行有效载荷代码,就在雪橇旁边。
The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.
攻击者使用 NOP sled 的原因是为了使目标地址更大:代码可以跳转到 sled 中的任何位置,而不是恰好在注入代码的开头。
A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.
一个 128 字节的 NOP 雪橇只是一组 128 字节宽的 NOP 指令。
NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.
注意#1:NOP(无操作)是大多数(所有?)体系结构中可用的指令,除了占用内存和一些运行时间外,什么都不做。
NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.
注意#2:在具有可变长度指令的体系结构中,NOP 指令通常只有一个字节的长度,因此它可以用作方便的指令填充。不幸的是,这也使得制作 NOP 雪橇变得容易。
回答by Boschko
To add to rodrigo's explanation - Even with a NOP sled, the approximate location of the buffer in memory must be predicted in advance. One technique for approximating the memory location of is to use nearby stack location as a frame of reference. By subtracting an offset from this location, the relative address of any variable can be obtained.
补充罗德里戈的解释 - 即使使用 NOP 雪橇,也必须提前预测缓冲区在内存中的大致位置。近似内存位置的一种技术是使用附近的堆栈位置作为参考框架。通过从这个位置减去一个偏移量,可以得到任何变量的相对地址。
SIDE NOTE: on x86 architecture the NOP instruction is equivalent to the hex byte 0x90 therefore a completed exploit buffer could look something like this:
边注:在 x86 架构上,NOP 指令等效于十六进制字节 0x90,因此完整的漏洞利用缓冲区可能如下所示:
| NOP sled | Shellcode | Repeated return address|
| NOP 雪橇 | 壳码 | 重复返回地址|
Seeing as if the EIP register points to any address found in the NOP sled, it would increment while executing each NOP instruction, one at a time, untill it finally reaches the shellcode
好像 EIP 寄存器指向在 NOP sled 中找到的任何地址,它会在执行每个 NOP 指令时递增,一次一个,直到它最终到达 shellcode
