How does a NOP sled work?

Question

I can\'t find a good source that answers this question. I know that a nop sled is a technique used to circumvent stack randomization in a buffer overflow attack, but I can\'t ge

Answer 1

To add to rodrigo's explanation - Even with a NOP sled, the approximate location of the buffer in memory must be predicted in advance. One technique for approximating the memory location of is to use nearby stack location as a frame of reference. By subtracting an offset from this location, the relative address of any variable can be obtained.

SIDE NOTE: on x86 architecture the NOP instruction is equivalent to the hex byte 0x90 therefore a completed exploit buffer could look something like this:

| NOP sled | Shellcode | Repeated return address|

Seeing as if the EIP register points to any address found in the NOP sled, it would increment while executing each NOP instruction, one at a time, untill it finally reaches the shellcode