Buffer Overflow Practice

Although it can seem daunting when you're staring at hex and registers for too long, at the end of the day, a buffer overflow is like any other remote code execution vulnerability. You're only need to do two things:

1.) Finding a way to input or store your own shell code

2.) Finding a way to execute that code

For example, creating a web shell requires a way to input the code (i.e. using an unrestricted file upload - preferably stored somewhere public facing) and then a way to execute it (i.e. navigating to the address where the web shell is stored). 

So, the same goes for a NOP-sled buffer overflow: we input the code (i.e. input overflows into the ESP register and crashes) and then find a way to execute it (i.e. store a memory address in the EIP register that refers to a JMP instruction to run what's in the ESP register). It's the same two steps.