KK
Uploaded byKory Kyzar
PDF, PPTX128 views

Buffer Overflows 101: Some Assembly Required

This document provides an introduction to stack buffer overflows on x86 architecture. It explains what a buffer is, how an overflow occurs when too much data is stored in a buffer, and how this can be exploited to overwrite the instruction pointer and redirect program flow. It discusses CPU registers like EBP, ESP and EIP that are involved. Finally, it outlines the steps to craft an exploit, including using patterns to find the offset, msfvenom to generate shellcode, and a NOP sled and JMP ESP to redirect execution to the shellcode.

Embed presentation

Download as PDF, PPTX
BUFFER OVERFLOWS 101 SOME ASSEMBLY REQUIRED KORY KYZAR
This talk is… Very high level Restricted to stack buffer overflows Restricted to x86 architecture
What’s a buffer? A buffer can be thought of as an allocated space in memory intended to hold a certain amount of data. char A[10]; Allocate 10 bytes for the variable A
Ok, and overflow? Storing more data in the buffer than it is designed to hold. t o o m u c h d a t a strcopy(A, “toomuchdata”); A Data is written to memory outside the region allocated to A. 
 We’ve overflowed the buffer.
So What Happens?
Crash
Score
So how do we score?
So how do we score? Slow down there Romeo.
So how do we score? Slow down there Romeo.
CPU REGISTERS
General Purpose Registers Small storage areas on the CPU that allow for very fast access. x86 CPUs have 8 general purpose registers. Basically, data from memory is loaded into a register, some form of processing is done, then the data is saved back to memory. Main ones we are concerned with are EBP and ESP. EIP is not considered a general purpose register, but we are interested in it as well.
EBP - The Base Pointer Used to track the base of the current frame (function). Can be used for other purposes
ESP - The Stack Pointer Used to track the top of the stack. As data is moved onto (PUSH) or off of (POP), the ESP register is incremented or decremented accordingly
EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
THE STACK
What is the stack? Data structure that store values contiguously in memory Last In First Out structure ESP register marks the top of the stack
Assume the below program #include <string.h> void foo (char *bar) { char A[10]; strcpy(A, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); } Program simply takes an argument on the command line and copies it into a variable that is allocated 10 bytes (A) https://en.wikipedia.org/wiki/Stack_buffer_overflow
Stack - Program Initializes main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBP ESP
Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBPESP
Stack - Foo Function Called 10 bytes reserved for A saved EBP ret address main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Assume we executed our program with an argument of “AAAAAAAAAA” AAAA
 AAAA
 AA saved EBP ret address main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
Stack - strcopy()
Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP We just overwrote the RET address,
 meaning we can tell the CPU
 which instruction to execute next.
CONGRATULATIONS!
 YOU CRASHED.
Buffer Overflow Shopping List We need….. The offset in the buffer at which EIP is overwritten. Code to perform the exploit. A way to direct EIP to the code we want to run.
The buffer you were trying to overflow was larger than 10 bytes? Let’s say we have a large buffer of an unknown size. We could write a fuzzer that submits an increasing number of “A”s and make note of the length that causes the crash. But how do we know which of the “A”’s overwrote EIP? What if…?
Finding the offset pattern_create.rb is a ruby script that creates a non repeating sequence of characters of a given length.
Finding the offset Using the string generated by pattern_create.rb as your input, you would analyze where the program crashed in a debugger. (i.e. Access violation when executing 30614239) Then you would check where that series of characters was in string with pattern_offset.rb Now you have the exact position in the buffer to place your return address
Shellcode Assembly code generated to execute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
Shellcode Assembly code generated to execute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
MSFVENOM MSFPAYLOAD AND MSFENCODE HAVE BEEN DEPRECATED IN FAVOR OF MSFVENOM
So where do we point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
So where do we point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
Setting the RET address You can’t hardcode the EIP address in since the program will be loaded into different places in memory at each execution. JMP ESP - one of the most common methods of getting back to your shellcode is to point EIP to a JMP ESP command. This can be used since its relative. This causes EIP to go to the address in the ESP register, which you should be able to use to access your shellcode.
Putting it all together Padding NOP Sled Shellcode EIP = JMP ESP Padding Our Crafted
 Buffer Overflow
DEMO? THIS WILL PROBABLY END IN FLAMES
@0XKTWO K2@KORROSIVESECURITY.COM

More Related Content

PPTX
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
PPT
Software Exploitation Techniques by Amit Malik
byn|u - The Open Security Community
 
PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PPTX
Operating Systems - A Primer
bySaumil Shah
 
PDF
Symfony live 2017_php7_performances
byjulien pauli
 
PDF
SymfonyCon 2017 php7 performances
byjulien pauli
 
PDF
New features in Ruby 2.5
byIreneusz Skrobiś
 
PDF
PHP 7 performances from PHP 5
byjulien pauli
 
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
Software Exploitation Techniques by Amit Malik
byn|u - The Open Security Community
 
Exploitation Crash Course
byUTD Computer Security Group
 
Operating Systems - A Primer
bySaumil Shah
 
Symfony live 2017_php7_performances
byjulien pauli
 
SymfonyCon 2017 php7 performances
byjulien pauli
 
New features in Ruby 2.5
byIreneusz Skrobiś
 
PHP 7 performances from PHP 5
byjulien pauli
 

What's hot

PDF
PL/Perl - New Features in PostgreSQL 9.0
byTim Bunce
 
PDF
Php extensions workshop
byjulien pauli
 
PDF
Ip Access Lists
byCCNAResources
 
ODP
Drupal and Varnish Reverse Proxy
byVFXCode
 
PPT
Exploiting stack overflow 101
byn|u - The Open Security Community
 
PDF
Exploiting 101
byAckcent
 
PDF
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
byTim Bunce
 
PPTX
Return oriented programming (ROP)
byPipat Methavanitpong
 
PDF
ROP 輕鬆談
byhackstuff
 
PPTX
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
PDF
Ios i pv4_access_lists
byMohamed Gamel
 
PPTX
Shellcode mastering
byPositive Hack Days
 
PDF
extending-php
bytutorialsruby
 
PDF
Emu8086
byrangarajb2005
 
PDF
Flask With Server-Sent Event
byTencent
 
PDF
Php and threads ZTS
byjulien pauli
 
PL/Perl - New Features in PostgreSQL 9.0
byTim Bunce
 
Php extensions workshop
byjulien pauli
 
Ip Access Lists
byCCNAResources
 
Drupal and Varnish Reverse Proxy
byVFXCode
 
Exploiting stack overflow 101
byn|u - The Open Security Community
 
Exploiting 101
byAckcent
 
Devel::NYTProf 2009-07 (OUTDATED, see 201008)
byTim Bunce
 
Return oriented programming (ROP)
byPipat Methavanitpong
 
ROP 輕鬆談
byhackstuff
 
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
Ios i pv4_access_lists
byMohamed Gamel
 
Shellcode mastering
byPositive Hack Days
 
extending-php
bytutorialsruby
 
Emu8086
byrangarajb2005
 
Flask With Server-Sent Event
byTencent
 
Php and threads ZTS
byjulien pauli
 

Viewers also liked

PDF
DEP/ASLR bypass without ROP/JIT
byArtem I. Baranov
 
PPT
Al2ed chapter7
byAbdullelah Al-Fahad
 
PDF
2006 ssiai
byPioneer Natural Resources
 
PPTX
test
byaaro11
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
PDF
Shellcode injection
byDhaval Kapil
 
PPT
Buffer Overflow
byKaustubh Padwad
 
PPT
6 buffer overflows
bydrewz lin
 
PPTX
Assembly 8086
byMustafa Salah
 
PPTX
Exploit Development
bykyaw thiha
 
PDF
APT(Advanced Persistent Threats) & strategies to counter APT
byAvkash Kathiriya
 
PPT
Installation of Drupal on Windows XP with XAMPP
byRupesh Kumar
 
PDF
Smashing The Stack
byDaniele Bellavista
 
PDF
Exploit development 101 - Part 1 - Null Singapore
byMohammed A. Imran
 
DOCX
8086 addressing modes
byj4jiet
 
PPT
Buffer Overflow Attacks
byharshal kshatriya
 
PPTX
Buffer overflow attacks
byKapil Nagrale
 
PPT
11 instruction sets addressing modes
bySher Shah Merkhel
 
PPTX
Buffer overflow
byEvgeni Tsonev
 
PPTX
Buffer overflow attacks
byJoe McCarthy
 
DEP/ASLR bypass without ROP/JIT
byArtem I. Baranov
 
Al2ed chapter7
byAbdullelah Al-Fahad
 
2006 ssiai
byPioneer Natural Resources
 
test
byaaro11
 
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
Shellcode injection
byDhaval Kapil
 
Buffer Overflow
byKaustubh Padwad
 
6 buffer overflows
bydrewz lin
 
Assembly 8086
byMustafa Salah
 
Exploit Development
bykyaw thiha
 
APT(Advanced Persistent Threats) & strategies to counter APT
byAvkash Kathiriya
 
Installation of Drupal on Windows XP with XAMPP
byRupesh Kumar
 
Smashing The Stack
byDaniele Bellavista
 
Exploit development 101 - Part 1 - Null Singapore
byMohammed A. Imran
 
8086 addressing modes
byj4jiet
 
Buffer Overflow Attacks
byharshal kshatriya
 
Buffer overflow attacks
byKapil Nagrale
 
11 instruction sets addressing modes
bySher Shah Merkhel
 
Buffer overflow
byEvgeni Tsonev
 
Buffer overflow attacks
byJoe McCarthy
 

Similar to Buffer Overflows 101: Some Assembly Required

ODP
Exploiting Memory Overflows
byAnkur Tyagi
 
ODP
Exploiting buffer overflows
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Basic buffer overflow part1
byPayampardaz
 
PPTX
Buffer overflow attacks
byJapneet Singh
 
PDF
StackOverflow
bySusam Pal
 
PDF
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
PDF
The Stack and Buffer Overflows
byUTD Computer Security Group
 
PPTX
Exploit exercises.com stack-overflows
bycommiebstrd
 
PDF
Exploitation
bySecurity B-Sides
 
PPTX
Introduction to Linux Exploit Development
byjohndegruyter
 
TXT
Exploit techniques - a quick review
byCe.Se.N.A. Security
 
PPTX
Buffer Overflow Demo by Saurabh Sharma
byn|u - The Open Security Community
 
ODP
Emo-Exploitation
byw0nd
 
PDF
Buffer Overflow - Smashing the Stack
byironSource
 
PDF
Dive into exploit development
byPayampardaz
 
PDF
CNIT 127 Ch Ch 1: Before you Begin
bySam Bowne
 
PDF
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
PDF
Ceh v5 module 20 buffer overflow
byVi Tính Hoàng Nam
 
PPTX
Buffer overflow – Smashing The Stack
byTomer Zait
 
PPTX
Return Oriented Programming (ROP) Based Exploits - Part I
byn|u - The Open Security Community
 
Exploiting Memory Overflows
byAnkur Tyagi
 
Exploiting buffer overflows
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Basic buffer overflow part1
byPayampardaz
 
Buffer overflow attacks
byJapneet Singh
 
StackOverflow
bySusam Pal
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
The Stack and Buffer Overflows
byUTD Computer Security Group
 
Exploit exercises.com stack-overflows
bycommiebstrd
 
Exploitation
bySecurity B-Sides
 
Introduction to Linux Exploit Development
byjohndegruyter
 
Exploit techniques - a quick review
byCe.Se.N.A. Security
 
Buffer Overflow Demo by Saurabh Sharma
byn|u - The Open Security Community
 
Emo-Exploitation
byw0nd
 
Buffer Overflow - Smashing the Stack
byironSource
 
Dive into exploit development
byPayampardaz
 
CNIT 127 Ch Ch 1: Before you Begin
bySam Bowne
 
CNIT 127 Ch 1: Before you Begin
bySam Bowne
 
Ceh v5 module 20 buffer overflow
byVi Tính Hoàng Nam
 
Buffer overflow – Smashing The Stack
byTomer Zait
 
Return Oriented Programming (ROP) Based Exploits - Part I
byn|u - The Open Security Community
 

Recently uploaded

PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
The year in review - MarvelClient in 2025
bypanagenda
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 

Buffer Overflows 101: Some Assembly Required

  • 1.
    BUFFER OVERFLOWS 101 SOMEASSEMBLY REQUIRED KORY KYZAR
  • 2.
    This talk is… Veryhigh level Restricted to stack buffer overflows Restricted to x86 architecture
  • 3.
    What’s a buffer? Abuffer can be thought of as an allocated space in memory intended to hold a certain amount of data. char A[10]; Allocate 10 bytes for the variable A
  • 4.
    Ok, and overflow? Storingmore data in the buffer than it is designed to hold. t o o m u c h d a t a strcopy(A, “toomuchdata”); A Data is written to memory outside the region allocated to A. 
 We’ve overflowed the buffer.
  • 5.
  • 6.
  • 7.
  • 8.
    So how dowe score?
  • 9.
    So how dowe score? Slow down there Romeo.
  • 10.
    So how dowe score? Slow down there Romeo.
  • 11.
  • 12.
    General Purpose Registers Smallstorage areas on the CPU that allow for very fast access. x86 CPUs have 8 general purpose registers. Basically, data from memory is loaded into a register, some form of processing is done, then the data is saved back to memory. Main ones we are concerned with are EBP and ESP. EIP is not considered a general purpose register, but we are interested in it as well.
  • 13.
    EBP - TheBase Pointer Used to track the base of the current frame (function). Can be used for other purposes
  • 14.
    ESP - TheStack Pointer Used to track the top of the stack. As data is moved onto (PUSH) or off of (POP), the ESP register is incremented or decremented accordingly
  • 15.
    EIP - InstructionPointer Always points to the memory address of the next instruction to be executed by the CPU
  • 16.
    EIP - InstructionPointer Always points to the memory address of the next instruction to be executed by the CPU
  • 17.
  • 18.
    What is thestack? Data structure that store values contiguously in memory Last In First Out structure ESP register marks the top of the stack
  • 19.
    Assume the belowprogram #include <string.h> void foo (char *bar) { char A[10]; strcpy(A, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); } Program simply takes an argument on the command line and copies it into a variable that is allocated 10 bytes (A) https://en.wikipedia.org/wiki/Stack_buffer_overflow
  • 20.
    Stack - ProgramInitializes main High Mem Address Low Mem Address EBP ESP
  • 21.
    Stack - FooFunction Called ret address main High Mem Address Low Mem Address EBP ESP
  • 22.
    Stack - FooFunction Called ret address main High Mem Address Low Mem Address EBP ESP
  • 23.
    Stack - FooFunction Called saved EBP ret address main High Mem Address Low Mem Address EBP ESP
  • 24.
    Stack - FooFunction Called saved EBP ret address main High Mem Address Low Mem Address EBPESP
  • 25.
    Stack - FooFunction Called 10 bytes reserved for A saved EBP ret address main High Mem Address Low Mem Address EBP ESP
  • 26.
    Stack - strcopy()
Assumewe executed our program with an argument of “AAAAAAAAAA” AAAA
 AAAA
 AA saved EBP ret address main High Mem Address Low Mem Address EBP ESP
  • 27.
    Stack - strcopy()
Nowlet’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
  • 28.
    Stack - strcopy()
Nowlet’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
  • 29.
    Stack - strcopy()
Nowlet’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
  • 30.
    Stack - strcopy()
Nowlet’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA” AAAA
 AAAA
 AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP We just overwrote the RET address,
 meaning we can tell the CPU
 which instruction to execute next.
  • 31.
  • 32.
    Buffer Overflow ShoppingList We need….. The offset in the buffer at which EIP is overwritten. Code to perform the exploit. A way to direct EIP to the code we want to run.
  • 33.
    The buffer youwere trying to overflow was larger than 10 bytes? Let’s say we have a large buffer of an unknown size. We could write a fuzzer that submits an increasing number of “A”s and make note of the length that causes the crash. But how do we know which of the “A”’s overwrote EIP? What if…?
  • 34.
    Finding the offset pattern_create.rbis a ruby script that creates a non repeating sequence of characters of a given length.
  • 35.
    Finding the offset Usingthe string generated by pattern_create.rb as your input, you would analyze where the program crashed in a debugger. (i.e. Access violation when executing 30614239) Then you would check where that series of characters was in string with pattern_offset.rb Now you have the exact position in the buffer to place your return address
  • 36.
    Shellcode Assembly code generated toexecute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
  • 37.
    Shellcode Assembly code generated toexecute the payload of the attackers choice Shellcode must be carefully crafted by hand…RIGHT?
  • 38.
    MSFVENOM MSFPAYLOAD AND MSFENCODEHAVE BEEN DEPRECATED IN FAVOR OF MSFVENOM
  • 39.
    So where dowe point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
  • 40.
    So where dowe point EIP? We need to get the CPU to execute our shellcode “So just set EIP to the address at the beginning of your shellcode!?”
  • 41.
    Setting the RETaddress You can’t hardcode the EIP address in since the program will be loaded into different places in memory at each execution. JMP ESP - one of the most common methods of getting back to your shellcode is to point EIP to a JMP ESP command. This can be used since its relative. This causes EIP to go to the address in the ESP register, which you should be able to use to access your shellcode.
  • 42.
    Putting it alltogether Padding NOP Sled Shellcode EIP = JMP ESP Padding Our Crafted
 Buffer Overflow
  • 43.
  • 44.