LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How is a buffer overflow exploit payload structured?

A NOP sled + shellcode (the code to run) followed by filler that overwrites the saved return address with a pointer back into the sled — so when the function returns, execution slides into the shellcode.

Buffer-overflow payload: NOP sled, shellcode, filler, and an overwritten return address pointing into the sled.

* Payload layout — filler overwrites the saved return address with a pointer into the NOP sled, so on return execution slides into the shellcode. *

  1. Shellcode: The malicious instructions to execute (e.g., spawn a shell, download malware). Usually 50-200 bytes of machine code.

  2. Padding (NOP sled + filler):

    • NOP sled: Sequence of "no operation" instructions - if execution lands anywhere in the sled, it slides to the shellcode
    • Filler: Bytes to reach exactly to the return address location
  3. Return address: Overwrites the saved return address with a pointer to the shellcode (or NOP sled)

Payload layout in memory:

[NOP NOP NOP...][SHELLCODE][PADDING][NEW_RETURN_ADDRESS]
                    ↑__________________________|

Challenge for attacker: Must calculate exact offset to return address and know where shellcode lands in memory (made harder by Address Space Layout Randomization, ASLR).

Go deeper:

  • doc Shellcode (Wikipedia) — how the injected payload is built, and why a NOP sled relaxes the exact-address requirement.

From Quiz: SPRG / Buffer Overflow | Updated: Jul 05, 2026