How is a buffer overflow exploit payload structured?
A NOP sled + shellcode (the code to run) followed by filler that overwrites the saved return address with a pointer back into the sled — so when the function returns, execution slides into the shellcode.
* Payload layout — filler overwrites the saved return address with a pointer into the NOP sled, so on return execution slides into the shellcode. *
-
Shellcode: The malicious instructions to execute (e.g., spawn a shell, download malware). Usually 50-200 bytes of machine code.
-
Padding (NOP sled + filler):
- NOP sled: Sequence of "no operation" instructions - if execution lands anywhere in the sled, it slides to the shellcode
- Filler: Bytes to reach exactly to the return address location
-
Return address: Overwrites the saved return address with a pointer to the shellcode (or NOP sled)
Payload layout in memory:
[NOP NOP NOP...][SHELLCODE][PADDING][NEW_RETURN_ADDRESS]
↑__________________________|
Challenge for attacker: Must calculate exact offset to return address and know where shellcode lands in memory (made harder by Address Space Layout Randomization, ASLR).
Go deeper:
Shellcode (Wikipedia) — how the injected payload is built, and why a NOP sled relaxes the exact-address requirement.