I understand that a typical stack based buffer overflow attack payload looks something like this:
(return address) (return address) ... (return address) (return address) (return address) (return address) (NOP) (NOP) (NOP) (NOP) ... (NOP) (NOP) (NOP) (NOP) (SHELLCODE)
I also understand that successful execution of the shellcode depends on a few things:
- The repeating return address portion of the payload has to overwrite the return pointer of that stack frame
- That return address has to be the address of some part of the NOP slide (or the beginning of the shellcode)
What I don't get is how malware that use this technique can always get these two things right. It seems to me that in order to craft a working payload, the attacker has to know the approximate address of the target buffer and its approximate distance from the return address.
Are these two usually pretty deterministic? For example, if the attacker does a few sessions of trial and error until it works on his machine, will that same payload work on all other machines with the exact same binaries?