Why do we need to know the address of shellcode?

Reverse Engineering Asked by Sathyam Lokare on October 22, 2020

I have read many articles regarding the buffer overflow exploit. Everywhere its written as follow.

“It’s difficult to know the starting address of the shellcode”

Why do we need to know the address of the shellcode? Why does stack not execute the shellcode as it is?

say we inject our shellcode this way

our shellcode — some padding — our choice of saved return

should the shellcode not be executed by default by the stack? Why do we add NOP sleds and complicate things.

One Answer

Exploiting a software by injecting a shellcode in its memory always requires the following steps:

  1. Have a way to inject your shellcode in memory (usually, it can take place in any buffer of the program).

  2. Redirect the execution flow (i.e. be able to write on the rip) to point to the shellcode and execute it (usually, it is done through a buffer-overflow).

If you are not sure about the address of your shellcode, the second part of the exploitation (the redirection of the eip) cannot be achieved reliably.

Correct answer by perror on October 22, 2020

Add your own answers!

Related Questions

Advanced Anti-Debugging Techniques

1  Asked on March 10, 2021 by 0x58


Remapping Branch Instructions After Obfuscation

0  Asked on March 7, 2021 by rustam-shirinov


What is a non-virtual thunk?

2  Asked on March 3, 2021 by 18446744073709551615


how to calculate max possible stack size utilization

1  Asked on March 3, 2021 by yoav-danieli


Bypassing debugger detection in radar2

0  Asked on March 1, 2021 by garde-des-ombres


Patching PLT entries

3  Asked on February 27, 2021 by movecx


Decoding New Jersey Driver’s License Codes

6  Asked on February 26, 2021 by alex-beals


Symbols for detecting UBSan

0  Asked on February 26, 2021 by packmad


Arrays assembly

1  Asked on February 25, 2021 by ramesses-ii


How to ‘hack’ the chat box in an online game

2  Asked on February 25, 2021 by fraserofsmeg


How to dump heap from packed program (unpack asprotect)

0  Asked on February 22, 2021 by haxerl


Call of a suspicious method cannot be found

1  Asked on February 20, 2021 by fellower4


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP