You usually don't need to "figure out" the address of the shellcode. You overflow the buffer with a set string and work out the offset. Say
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
where BBBB overwrites EIP (the next instruction address) and CCCC drops in where the ESP register is pointing.
You need to find an instruction that would continue execution at the shellcode, which you can insert where CCCC begins. Such as the JMP ESP instruction. This needs to be static (e.g. no ASLR) and the address should not contain any "bad" characters, such as \x00 which may terminate the buffer.
So process is:
- Buffer is overflowed with
A's.
- EIP is now pointing at your located
JMP ESP instruction.
JMP ESP is executed by the processor - as ESP is pointing at your shellcode, execution continues here.
You may need some extra padding on your shellcode at the start with e.g. NOPs (\x90) to allow for any expansion from decoding if you are using an encoded payload. However, some AVs and IDS's will detect the signature of many NOPs together so it might be better for the processor to do busy work instead to prevent detection.
That is the usual method, although it all depends if there is space for your payload and if you manage to locate it in a similar manner to the above. Techniques such as NOP sleds can be used to make locating payloads easier in case you need to write them elsewhere.
