I am trying to do an exercise in the area of a stack buffer overflow. I'm doing the classical example where the vuln allows you to overwrite EIP. My problem is that I can only use addresses starting with 00 which means I cannot overwrite addresses larger than what ESP is pointing to. So the classical approach of putting the shellcode after the address I'm overwriting EIP with won't work. Instead, I need to put the shellcode before the address into the buffer. See the simple drawing below.
<larger stack addresses> ........... <smaller stack addresses> ESP Need to jump here somehow | | V V XXXX|AAAA|AAAA|AAAA|AAAA|AAAA|....|AAAA|AAAA|AAAA|.... A | | My buffer won't reach any addresses larger than ESP because of the 0 in it...
Now the question is: What is the assembly instruction I need to search for that will jump to the address say 200 bytes smaller than ESP? I don't know x86 assembler well enough. I have tried everything like jmp [ESP-8], jmp [ESP-16], ... (also with larger offsets), then sub ESP,EBX + jmp ESP, xor ESP, EBX + jmp ESP and so on. I should add here that it looks like I can overwrite EBX as well. So if there was sub ESP,EBX + jmp ESP or sth like that, then I could fill EBX with the negative offset jump to the shellcode by subtracting the offset from ESP first. But whatever I try, I cannot find the instructions in the module. I think my main problem is that I don't understand x86 assembly language well enough. I have seen instructions like jmp DWORD PTR DS:[ESP+8] in the code and have been googling a bit and my limited understanding tells me that this is a relative jump in the data segment. So I would need to do something like this in the stack segment, ideally getting the offset from the EBX register... Does sth like this exist?