I'm trying to understand the basic principles of buffer overflows. During countless hours of reading one of the things I noted was:
Most of the time the exploit string structure looks like this, where the nops and shellcode are located in the first part before the buffer overflow:
[NOPS-SHELLCODE-NEWEIPADDRESS]
Now I like thinking outside of the box and tried this, where the shellcode is located after the new eipaddress in the stack:
[NOPS-NEWEIPADDRESS-SHELLCODE]
I succeeded at exploiting my test vulnerability in this way but really wonder why nobody writes or uses this kind of example? Is it bad practice or what am I overlooking?
I think the second way you used to achieve buffer overflow worse than the first one.
Let me explain for you.
In general, the operating system has a security feature called ASLR.
In short word, your stack address (buffer address) will be different every time you execute.
So you have to guess the buffer address, that's why NOP sled for.
If your NEWEIPADRESS landed within NOP sled or the first byte of shellcode, your exploit succeed.
However, if you used second way, you only succeed when your NEWEIPADRESS is first byte of shellcode.
If you lended in NOP sled, your NEWEIPADRESS will be interpreted as assembly language to execute.
In most case, your NEWEIPADRESS will make your exploit failed expect that NEWEIPADRESS are all NOP.