Nop Sled, can you explain it to me?

Question

I have been reading this book: Hacking, the art of exploitation

On page 140, the book explains the Nop Slide:

We’ll create a large array (or sled) of these NOP instructions and place it before the shellcode; then, if the EIP register points to any address found in the NOP sled, it will increment while executing each NOP instruction, one at a time, until it finally reaches the shellcode. This means that as long as the return address is overwritten with any address found in the NOP sled, the EIP register will slide down the sled to the shellcode, which will execute properly.

But with this technique, we would overwrite the return address with 0x90,wouldn't we?. EIP will go to 0x90, causing a segfault. So, can you explain this technique to me clearly? Thanks :)

Answer 1

No, you'll not rewrite return address with NOP sleds. Once you get the right offset, you have to rewrite return address with address, what points somewhere into your NOP instructions. And because NOP sled is placed before your shellcode, it will just slide down and execute your shellcode. So that 60 bytes long NOP sled is doing nothing.

It's because (you can find everything about it, in that book):

NOP is an assembly instruction that is short for 'no operation'. It is a single-byte instruction that does absolutely nothing.

Answer 2

to add to @Yeez answer

a nop sled (as stated, no operation) is called a sled because; it kinda looks like one

[nop sleds][shellcode]

so if you "land" in a nop (aka x90, or the cliche also works xchg eax, eax (both of these are NOP's))

it will just "slide down" to the shellcode

if we happen to get here, on the 2nd nop: [nop] [nop]; the last one

then we will just 'tick/sled/slide/crawl' along it until we are at our shellcode (by which time we execute that shellcode)

[nop] [nop] [nop] [shellcode]

^ go ^ go ^ go ^ execute

Testing that in RASM2

(radare2's tool, like msf-nasm, if you are used to that)

rasm2 -a x86 -b 32 "xchg eax, eax"