About buffer overflow shellcode position

Question

Im learning exploit. In all BOF examples, the shellcode is always placed in the buffer => shellcode + padding + overwrite return addr. Is it possible to place the shellcode after the return address overwrites precedent stack frame in case the buffer is too small => padding + overwirte return address + shellcode ??

Answer 1

Sure, it's possible in the case, as you said - when buffer is too small. There is a user place named 'environment variables', it's located on the stack, sou you can easily check it via gdb. It's a little more distant from top of stack. Just use this command 'x/500s $esp' and you'll find all variables with its addresses. Then all you need to do is prepare your shellcode (with some NOP sled), and export it to your new environment variable, as a next step you have to get address of your env. variable. It's better to do it using core dumps, because it's more precise than gdb (in gdb are a little different addresses than in real, because there is a shift). Or just use this little program written by Jon Erickson - getenvaddr.c

So your payload for now will looks like: [ Junk | SFP | Return address ]

For example:

• Junk = 40 * A

• SFP = 4 * B

• Return address = 0xXXXXXXXX <-- Here is address of your env. variable, there you'll want to jump.

Second option is easily put your shellcode after buffer, in the case, there is a place.

So your payload can looks like: [ Junk | SFP | Return address | NOP sled | Shellcode ]

• Junk = 40 bytes (40 * A)
• SFP = 4 * B
• Return address = 0xXXXXXXXX <-- You'll need jump somewhere into NOPs
• NOP sled = x90 * 30
• Shellcode