-1

I'd like to know why we have to put the shellcode before the return address in a buffer overflow. Logically the return address will point to the shellcode and will be executed. So, the return address should be put before the shellcode.

I read about it here : buffer overflow exploits - Why is the shellcode put before the return address.

But, I didn't really understand. Can someone explain me.

Community
  • 1
Scoobydoo
  • 3
  • 2

2 Answers2

1

You can put your shellcode wherever you want. It's usually below the return address in textbook stack overflow, because it causes your total payload to be smaller.

Small illustration: you're overflowing a 256 bytes buffer on the stack. Your payload would look like this in classical overflow:

NOP * (256 - len(shellcode)) + shellcode + padding + returnaddress

If you put the payload after:

padding * 256 + padding + returnaddress + nop * (as much as needed) + shellcode.

Pro: you can sometimes add much more space for your nops or bigger shellcode. If you're doing ROP you'll need to use that space after the return address anyway.

Cons: your payload is bigger and may not fit in your buffer.

Aris
  • 26
  • 1
0

I'd like to know why we have to put the shellcode before the return address in a buffer overflow.

The shellcode does not need to be before the return address in a buffer overflow.

See, for example, this advisory and the corresponding slide deck.

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • Thank you for your answer but can you explain me exactly what happens when we put the shellcode before the return address and what happens when we put it after the return address? Thank you for your help – Scoobydoo Sep 26 '15 at 18:26
  • That's not a reverse engineering question. Please ask on http://security.stackexchange.com/ or http://stackoverflow.com/. – Jason Geffner Sep 26 '15 at 18:29