background image


Chapter 8

Looking at NOPs

Now that you understand the basics of a heap spray and a NOP, let’s take a 
look at a generic NOP slide in an actual exploit. In the following listing, notice 
the hexadecimal representation of 


, the Intel x86 architecture opcode. 


 in Intel x86 assembly is a NOP. Here you see a series of 


s that create 

our NOP-slide effect. The rest of the code is the payload, such as a reverse 
shell or a Meterpreter shell.



Using Immunity Debugger to Decipher NOP Shellcode


 offer a window into the running state of a program, including 

assembly instruction flow, memory contents, and exception details. Penetra-
tion testers leverage debuggers on a regular basis to identify zero-day vulner-
abilities and to understand how an application works and how to attack it. A 
number of debuggers are out there, but our personal preference going forward 
(and used in later chapters) is Immunity Debugger. We recommend that you 
take a look at the basics of Immunity Debugger before proceeding.

To understand what a NOP slide does, let’s use a debugger to look at how 

the NOP shellcode in the preceding example works. On your Windows XP 
target, download and install Immunity Debugger from 



. We’ll use the 


 command to generate sample shellcode for a 

simple TCP bind shell, listening on port 443. As you learned in previous