About "NOP" slides in JS Heap Overflows

Question

I don't understand how 0x0c0c can be used as a "NOP" slide in Javascript's Heap Overflows. Can anybody please explain it to me?

Thanks in advance! :)

Answer 1

Got a link for you: http://lordparody.wordpress.com/2010/03/09/just-slide/ I hope that explains to you why 0c0c is used instead of 0x90.

Comments

Also, if I understood correctly. This "multibyte NOPs" do have an effect on the program but it's small enough to don't change important register values until we get to our payload.
In the case of "0x0c0c" it translates to a series of "OR AL, 0c". The first one actually changes the lower bytes of EAX but the next zillion don't have any effect, due to OR operation properties.
The important fact here is that after a zillion instructions the change is minimal and we didn't relay on the value of EAX for successfully exploitation.

Is that right?

---

Yes it is.

In fact, we say "nop slide" because the instruction NOP is a single opcode instruction that do nothing, so in must case we should use 0x90 (NOP) to do a heap spray.

Now, just imagine a system that do checks in browser's memory (or other application like acrobat reader) and try to detect nop sled.

In this case, you can use anothers opcodes that does not affect registers that is important, and that does not do stupid thing (int overflow on a register ...) ...

In this case, the shellcode can be executed (some of your register has been modified but does not prevent the shellcode to work), and your "nop sled" won't be detected

---

Nice one. Thanks for the answer! :)