Usually we all see the basic buffer overflow format which has :-
NOPs + shellcode + return_address
Why dont we use,
NOPs + return_address + shellcode?
where we make the return address point to the start of the shellcode?
Im guessing that this is because we might be trying to write data outside the stack segment if the vulnerability is in the main(). Am I right? If I am, is that the only reason?
Oh, and yes I am not referring to other kinds of attacks which use return-to-libc, ptrace etc. ; I just wish to know why the most basic buffer overflow attack is demonstrated in the first way and not the second everywhere.