A question about buffer overflows...

[drakoth777]

Why is it better to put a memory address that points to a 'jmp to esp' call of a Windows DLL in the EIP, which would in turn, have EIP run a jump to the ESP, which would in turn point to the start of shellcode, instead of just putting a memory address that points to the ESP in the EIP, that way EIP goes directly to ESP and then gets directed to the shellcode?

Could you give some examples of why that wouldn't work?

[barbsie]

Because ESP is not always the same and the jmp ESP address in the particular DLL is (except with vista which has ASLR).

[KMDave]

Why is it better to put a memory address that points to a 'jmp to esp' call of a Windows DLL in the EIP, which would in turn, have EIP run a jump to the ESP, which would in turn point to the start of shellcode, instead of just putting a memory address that points to the ESP in the EIP, that way EIP goes directly to ESP and then gets directed to the shellcode?

Could you give some examples of why that wouldn't work?

The address is different from time to time also depending on the system. Same goes for the jmp address. That's why you should try to use one of the DLL's coming with the application if possible instead of a Windows DLL since the offsets are differnt with different languages.