I have been reading this book: Hacking, the art of exploitation
On page 140, the book explains the Nop Slide:
We’ll create a large array (or sled) of these NOP instructions and place it before the shellcode; then, if the EIP register points to any address found in the NOP sled, it will increment while executing each NOP instruction, one at a time, until it finally reaches the shellcode. This means that as long as the return address is overwritten with any address found in the NOP sled, the EIP register will slide down the sled to the shellcode, which will execute properly.
But with this technique, we would overwrite the return address with 0x90,wouldn't we?. EIP will go to 0x90, causing a segfault. So, can you explain this technique to me clearly? Thanks :)
No, you'll not rewrite return address with NOP sleds. Once you get the right offset, you have to rewrite return address with address, what points somewhere into your NOP instructions. And because NOP sled is placed before your shellcode, it will just slide down and execute your shellcode. So that 60 bytes long NOP sled is doing nothing.
It's because (you can find everything about it, in that book):
NOP is an assembly instruction that is short for 'no operation'. It is a single-byte instruction that does absolutely nothing.