• Difference between Heap Spray and NOP Sled

    A lot of people I meet often think that NOP Sled and Heap Spraying are actually the same thing. Not true at all. I wanted to write a description myself, but there were already good pointers on Wikipedia.

    Heap Spray

    “In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The term is also used to describe the part of the source code of an exploit that implements this technique. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run. Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large Unicode strings with the same character repeated many times by starting with a string of one character and concatenating it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. When the desired string length is reached a shell code is put at the end of the string. The heap spraying code makes copies of the long string with shell code and stores these in an array, up to the point where enough memory has been sprayed to cover the area that the exploit targets. Occasionally, VBScript is used in Internet Explorer to create strings by using the String function.”

    NOP Sled

    “In computer CPUs, a NOP slide, NOP sled or NOP ramp, is a sequence of NOP (no-operation) instructions (on Intel x86, this is the opcode 0x90) meant to “slide” the CPU’s instruction execution flow to its final, desired, destination. Generally a NOP slide will be used in cases where execution will branch into a position that cannot be determined with absolute accuracy, therefore “padding” the memory area before and after the approximate branch address is performed in the hope of avoiding an exception which would cause the program or system to crash. Once the CPU branches anywhere within the NOP slide, its IP (instruction pointer) will “slide” to its final destination, where there is valid code to be executed.”

    Hope this helps.