18

Problem

I do not know what a "NOP" is in Metasploit Framework or otherwise.

What I do know

Metasploit Unleashed says, "Nops keep the payload sizes consistent." A few question posts mention buffer overflows.

What I would like to know

Why do Nops keep payload sizes consistent? What do Nops keep payload sizes consistent with? What is a Nop, exactly? An acronym? A pseudonym? Does it stand for something longer?

Is a "nop" a process or data? (EG: do you "run" a nop, or do you "send" a nop?) Why do they call them "sleds" and "sledges"? (I am inferring both of these names refer to the thing you slide down hills with in the winter time, which seems to imply that a "nop" somehow lubricates some sort of data transaction)

Where I've already looked for answers

http://www.offensive-security.com/metasploit-unleashed/

http://my.safaribooksonline.com/book/networking/security/9780596009632/metasploit/evasion_using_nops_and_encoders#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTk3ODA1OTYwMDk2MzIlMkZzYW1wbGVfZXZhc2lvbl9vdXRwdXQmcXVlcnk9

http://www.securitytube.net/questions/id/35

http://seclists.org/metasploit/2009/q2/125

http://en.wikipedia.org/wiki/Buffer_overflow

http://en.wikipedia.org/wiki/Polymorphic_code

Pedro Lobito
  • 524
  • 3
  • 13
gal
  • 649
  • 2
  • 6
  • 12
  • 7
    +1 A well asked question with lots of prior research. Welcome to Sec.SE :) –  Feb 07 '13 at 23:04

1 Answers1

17

In assembly code, NOP is short for No OPeration. This is most popularly known for x86 chips as 0x90. When a processor loads that instruction, it simply does nothing (at least useful) for the one cycle and then advances the register to the next instruction.

NOPs keep the payload sizes consistent

... by ensuring that any space not used by other code will still be validly executable by the processor with no side effects. This "NOP sled" is also the source of humorous names like DEFCON 19 CTF winners European Nopsled Team.

The practical importance of this has to do with writing instruction jumps. Jumps can either be of a relative jump (read the memory 8 bytes before where you are now) or of an absolute jump (read the memory located at position 0x874710). If you move data around at all with an absolute jump, you must recode any references to it. If you move one instruction around relative to another, you must also recode the relative jumps. Putting NOPs in simplifies the problem because a jump that lands anywhere in a series of NOPs will continue on to the first executable instruction and prevent the processor from reading an invalid code that would stop execution and crash the software.

Most prevalently, if you know the pointer for the stack will point somewhere in a continuos range of memory addresses, you'd fill that with NOPs and then put your code after.

Check out this shellcode writing tutorial that explains when it makes use of NOPs to gain better understanding.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • So it pads a payload to a pre-determined buffer size with essentially the assembly version of a non-breaking space; there's something there, and the processor reads it, but it does absolutely nothing with it. I get that - one last thing then, why is doing that important? – gal Feb 07 '13 at 22:13