Sorry if this post is in the wrong section I'm fairly new to the security field and I am new to stackexchange if this post is in the wrong section would be great if it was moved for me,also sorry if similar questions have been asked before which they have but I couldn't find an answer that clears things up for me.I digress.
I have been studying buffer overflows for the past few days and I have come across a tutorial a link!
if you watch at the very end the attacker puts some random characters into the buffer until he/she hits the return address the program gives a seg fault,so he/she next inserts random characters followed by an address( which is the memory address of the JMP ESP instruction inside the dll attached to the program) followed by the payload or shellcode.
so my question is why and how does this attack work since he/she is placing the shellcode after the return address and not in the buffer space like usual buffer overflow attacks on 32 bit machines. In other attacks the shellcode would be placed inside the buffer space with no ops preceding it,the return address would be overwritten to jump to an address inside the buffer and the shellcode would eventually be executed.
In this example as mentioned the shellcode is after the return address,how would this work? Inside the dll there is a asm__(JMP ESP) so the return address will first go to that memory location of where that instruction is located in the dll then it will execute the JMP ESP instruction,but where is the ESP pointing wouldn't the ESP be pointing to the return address at this stage or even the EBP?
sorry if I haven't explained this question very well,asking questions isn't my strong suit.