I sent the following string using python to the vulnerable application
buffer = prefix + overflow + return_addr (of JMP ESP) + NOPs + shellcode
The above buffer string successfully gave me the reverse shell, however, I have the following doubts.
When i send this buffer to the vulnerable application and set a break point at the return address (JMP ESP), I see the following status of registers and stack inside the Immunity Debugger Click here to see snapshot of Immunity As per the above snapshot, the ESP points to the memory location 01A8FA30. The way i understand the stack memory layout is shown below in snapshot Stack Layout (as i understand) As per the above stack layout, the ESP usually points to the top of stack i.e., at the top where local variables are stored. MY Query: Why in the immunity debugger snapshot, the ESP points to the 01A8FA30 which is after the return address? Because as per the stack layout snapshot, ESP should be at the top where local variables are present.
The buffer string which i had sent to the vulnerable application fills the buffer to successfully give the reverse shell. My Query is how this buffer is stored in the stack i.e., does the shell code is stored first (at higher memory address), then NOPs (at lower memory address) and so on?
As per the stack layout snapshot that i provided in bullet point 1, I am assuming that the NOPs and Shellcode should overwrite the Arguments space of the stack (at highest address) and if that is the case, ESP should not lead to the execution of the NOPs and shellcode. What is actually happening here?
I would really appreciate if someone can provide me clarity on these in separate bullet points. Please note that the snapshot of stack layout has been created by me the way i understand stack. THANKS IN ADVANCE.