I am quite new to buffer overflows and I am practicing right now different types of buffer overflow attacks. the shellcode was not executed until it was padded with NOPs although its set properly in memory and execution flow works as needed.
After investigation, I saw some people who wrote the following:
"find the opcode for add esp,-1500 put those bytes at the start of the shellcode remove the nops"
I would appreciate if anybody could help explaining this !
Thanks in advance
NOPs tend to get flagged by anti-virus, so an alternate method can be used to 'slide' the execution to the shell code. The way you were told was to add 1500 bytes to the ESP, which (I'm assuming) should replace 1500 NOPs, landing you at your shellcode.
If you have not already seen this, you NEED to be reading corelan.be for awesome BO writing tutorials. Here is one that explains the add esp
I found the answer:
'StackAdjustment' => -3500, # Modify stack pointer at shellcode start so it can use the stack without writing on itself.
First, a disclaimer: I would have to fire up a VM and walk through this to confirm my answer. I really don't do a heck of a lot with Windows exploits. Looking at that article quickly I believe that you are adjusting the stack so as not to corrupt the current stack frame. When code block that you are leveraging to overwrite the SEH chain returns the function prolog will restore ESP from EBP, allowing execution to resume. Later, when an exception is thrown, your SEH overwrite will give you control.
