您通常不需要弄清楚" shellcode的地址.您使用设置的字符串溢出缓冲区并计算出偏移量.说

You usually don't need to "figure out" the address of the shellcode. You overflow the buffer with a set string and work out the offset. Say

AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC

BBBB 会覆盖EIP(下一条指令地址)，而 CCCC 会落入ESP寄存器指向的位置.

where BBBB overwrites EIP (the next instruction address) and CCCC drops in where the ESP register is pointing.

您需要找到一条将在shellcode上继续执行的指令，您可以在 CCCC 开始的位置插入该指令.例如 JMP ESP 指令.这必须是静态的(例如，没有ASLR)，并且地址中不应包含任何坏"字符，例如 \ x00 可能会终止缓冲区.

You need to find an instruction that would continue execution at the shellcode, which you can insert where CCCC begins. Such as the JMP ESP instruction. This needs to be static (e.g. no ASLR) and the address should not contain any "bad" characters, such as \x00 which may terminate the buffer.

所以过程是:

1. 缓冲区溢出了 A .
2. EIP现在指向您找到的 JMP ESP 指令.
3. JMP ESP 由处理器执行-当 ESP 指向您的shellcode时，此处继续执行.

1. Buffer is overflowed with A's.
2. EIP is now pointing at your located JMP ESP instruction.
3. JMP ESP is executed by the processor - as ESP is pointing at your shellcode, execution continues here.

例如，您可能需要在shellcode上添加一些额外的填充，例如NOP( \ x90 )允许您在使用编码的有效载荷的情况下进行解码扩展.但是，某些AV和IDS会一起检测许多NOP的签名，因此***让处理器忙于工作而不是防止检测.

You may need some extra padding on your shellcode at the start with e.g. NOPs (\x90) to allow for any expansion from decoding if you are using an encoded payload. However, some AVs and IDS's will detect the signature of many NOPs together so it might be better for the processor to do busy work instead to prevent detection.

这是通常的方法，尽管这完全取决于有效载荷是否有空间以及是否以与上述类似的方式找到它.诸如 NOP雪橇之类的技术可用于简化有效载荷的定位，以防您需要编写他们在其他地方.

That is the usual method, although it all depends if there is space for your payload and if you manage to locate it in a similar manner to the above. Techniques such as NOP sleds can be used to make locating payloads easier in case you need to write them elsewhere.