How is the modified return address in a stack based buffer overflow attack approximated?

I understand that a typical stack based buffer overflow attack payload looks something like this:

(return address) (return address) ... (return address) (return address) (return address) (return address) (NOP) (NOP) (NOP) (NOP) ... (NOP) (NOP) (NOP) (NOP) (SHELLCODE)

I also understand that successful execution of the shellcode depends on a few things:

1. The repeating return address portion of the payload has to overwrite the return pointer of that stack frame
2. That return address has to be the address of some part of the NOP slide (or the beginning of the shellcode)

What I don't get is how malware that use this technique can always get these two things right. It seems to me that in order to craft a working payload, the attacke开发者_高级运维r has to know the approximate address of the target buffer and its approximate distance from the return address.

Are these two usually pretty deterministic? For example, if the attacker does a few sessions of trial and error until it works on his machine, will that same payload work on all other machines with the exact same binaries?

The accuracy of determining the layout of memory is entirely dependent on the function's stack frame that you are corrupting. Sometimes offsets can be very accurate and even a nop sled isn't required, but its a good idea to have one anyway. If you trigger the issue a couple of times in a debugger you can get an idea of how chaotic the stack is. Other factors can influence very the size of the offset. For instance if the offset can change for different versions of the program, such as an exploit written for windows 2000 and windows xp. Differing language distributions of the application can also affect the size of the offset.

However, ASLR causes serious problems for this exploitation method. Heap Spraying is commonly used by browser based exploits to bypass ASLR.

in order to craft a working payload, the attacker has to know the approximate address of the target buffer and its approximate distance from the return address.

You are right. In fact you have to play a bit with the debugger, in order to write a correct exploit. Once you have written it and tested, if the binary is the same on different machines, exploit should work fine.

(work fine is a bit optimistic. Let's say that the shellcode should be launched. The effectivity of the attack may depends on other factors..)

Of cource the address won't always be the same depending on system and binary, one hack malwares use to improve their chance is to generate multiple payload using different return addresses (like +10 increment if there is 10 NOPS) and try them all until it worked.