-1

I'm trying to understand the basic principles of buffer overflows. During countless hours of reading one of the things I noted was:

Most of the time the exploit string structure looks like this, where the nops and shellcode are located in the first part before the buffer overflow:

[NOPS-SHELLCODE-NEWEIPADDRESS]

Now I like thinking outside of the box and tried this, where the shellcode is located after the new eipaddress in the stack:

[NOPS-NEWEIPADDRESS-SHELLCODE]

I succeeded at exploiting my test vulnerability in this way but really wonder why nobody writes or uses this kind of example? Is it bad practice or what am I overlooking?

Improve this question

1 Answer 1

Reset to default
1

I think the second way you used to achieve buffer overflow worse than the first one.

Let me explain for you.

In general, the operating system has a security feature called ASLR.

In short word, your stack address (buffer address) will be different every time you execute.

So you have to guess the buffer address, that's why NOP sled for.

If your NEWEIPADRESS landed within NOP sled or the first byte of shellcode, your exploit succeed.

However, if you used second way, you only succeed when your NEWEIPADRESS is first byte of shellcode.

If you lended in NOP sled, your NEWEIPADRESS will be interpreted as assembly language to execute.

In most case, your NEWEIPADRESS will make your exploit failed expect that NEWEIPADRESS are all NOP.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.