* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/category/cybersecurity-2/)
* Exploitation Demystified,...

# Exploitation Demystified, Part 2: Overwrite and Redirect

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fexploitation-demystified-part-2-overwrite-and-redirect%2F)  
[](https://twitter.com/share?text=Exploitation+Demystified%2C+Part+2%3A+Overwrite+and+Redirect&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fexploitation-demystified-part-2-overwrite-and-redirect%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fexploitation-demystified-part-2-overwrite-and-redirect%2F&title=Exploitation+Demystified%2C+Part+2%3A+Overwrite+and+Redirect&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2015/12/exploitation-demystified-part-2-overwrite-and-redirect/&ts=markdown)  
\[\](mailto:?subject=Exploitation Demystified, Part 2: Overwrite and Redirect)  
Link copied  
By [Palo Alto Networks](https://www.paloaltonetworks.com/blog/author/palo-alto-networks-staff/?ts=markdown "Posts by Palo Alto Networks")  
Dec 01, 2015  
7 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[exploitation](https://www.paloaltonetworks.com/blog/tag/exploitation/?ts=markdown)  
[Exploitation Demystified](https://www.paloaltonetworks.com/blog/tag/exploitation-demystified/?ts=markdown)  
[shellcode](https://www.paloaltonetworks.com/blog/tag/shellcode/?ts=markdown)  
[Vulnerabilities](https://www.paloaltonetworks.com/blog/tag/vulnerabilities/?ts=markdown)

In [Part 1 of this series](https://www.paloaltonetworks.com/blog/2015/11/exploitation-demystified-why-what-and-how-part-1/), we laid the foundation of memory corruption exploitation and presented the basic exploitation framework:

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/exploit1.png)  
[![exploit1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/exploit1-500x101.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/11/exploit1.png)

This post will cover the implementation of **Overwrite** and **Redirect** in the context of stack based buffer overflow vulnerabilities.

### Memory Address Space Revisited

In its simplest form, the memory space is divided by the executable code region and the data region. The executable region contains both the program's unique code as well as the DLLs the operating system provides to all processes. Data region, as its name implies, contains the data on which the code operates. The data region is comprised of the **stack** and the **heap,** which we will describe in detail below.

The attacker is interested in the data region since the shellcode by definition will be embedded in what will be loaded to the data region. This means once the file with the shellcode runs, the shellcode resides either in the stack or in the heap.

### The Attacker's Challenge

From the attacker's perspective, inserting the shellcode to the data region is still far from satisfactory because the shellcode is an executable code. Remember -- the shellcode's role is to be executed and to open a connection between the attacker and the targeted machine. This is the fundamental exploitation challenge:

1. The shellcode is by default loaded to data region.
2. The shellcode needs to be executed.
3. Residing in the data region means that the memory addresses populated by the shellcode will never be fetched to the CPU for execution.

### The Attacker's Solution

The attacker's main objective is to manipulate the CPU into executing content of memory addresses which under normal circumstances do not get executed. This is where **vulnerabilities**come into play.

To recap: when we say that an application has a vulnerability we mean that a crafted input file will cause the execution flow to deviate from its predesignated course. In other words, the CPU is fetched an address it was not meant to receive.

Let's tie it all together now. The attacker has managed to insert a shellcode to the data region of the process memory, and what it seeks now is a way to get that shellcode executed. To achieve that, the attacker will craft the file in such a way that the deviated address will contain instructions to jump to the shellcode address. Now, the CPU receives an address containing executable code and it will follow the instructions, jump to the shellcode address and execute it.

### (Very) Brief Vulnerabilities Overview

Vulnerabilities are tightly related to the **overwrite**part in the exploitation flow. Different vulnerabilities enable the attacker to overwrite addresses in different parts of the process address space.

The first type of vulnerability we will cover is **stack based buffer overflow**. This class of vulnerability can be considered a classic exploitation pattern. It is also one of the oldest patterns to be exploited in the wild and is still a prominent part of the current threat landscape.

### The Stack

A typical computer program is comprised of a main program and **functions** or subroutines. When a subroutine is called, it performs its task and returns control to the main program. From the memory address space perspective, the addresses of the main program reside in the code region. When a subroutine is called, a stack is invoked to store its local variables (which roughly correlates to what we refer to as the data). The subroutine then performs its designated task and when it is done, hands over control back to the main program.

From the attacker's perspective there are three interesting features:

* **Fixed size:** The size of the stack is \*\*fixed and determined at the time of the call. For example,\*\*let's assume that the subroutine declared an array of 10 characters. This will be the size of the stack regardless of the arguments we will pass to it.
* **Return address:** The return control mechanism works like this: the stack is invoked with a fixed memory size. Let's say our 10 characters stack is assigned to address 100. This means that addresses 91 to 100 are assigned to this stack. In addition, address 90 contains the address in the main program to which the CPU should return after the subroutine has fulfilled its task. This memory location is known as the **return address.**
* **The stack grows downward**: when we provide the actual arguments to the stack, the first goes to the highest address and is then pushed downwards by its followers. So if we provide a 3 character input to our simplified stack, the first one will go to address 100. After that the second one will populate 100 pushing the first to 99. Then the third will go to 100 pushing the second to 99 and the first to 98. Since our input ends here and there are no more arguments, the return address will be fetched to the CPU, which will follow its instructions and jump back to the main program.

### Stack Based Buffer Overflow

So far we have described the stack architecture with no malicious context. Now we will explain how this architecture can be maliciously leveraged.

The inherent security flaw in the stack architecture is that it implicitly assumes that the input will match the predesignated size. It works well when the input is either smaller than or identical to this size. The problem arises when the input is larger than the predesignated stack boundaries\*\*.\*\*

Let's go back to our simplified stack. Suppose we give the subroutine an input larger than 10 characters. Remember that addresses 91 to 100 are assigned for the input and that address 90 is already populated with the return address. If our input is 11 characters, the first character will go to address 100 and will be pushed downwards. When it reaches 90 it will **overwrite the return address.** The CPU will try to follow the instructions in address 90 but because they do not exist anymore, it will break the execution flow and the process will crash. This is known as Stack Overflow.

Let's also remember that the shellcode resides in the stack and the attacker attempts to cause it to be executed.

In order to leverage stack overflow for its purposes, the attacker will craft the subroutine input in a way that the return address will be overwritten with new instructions which will redirect the CPU to the shellcode location.

In our simplified stack example, the attacker will craft an 11 character size input. The shellcode resides in characters 11 and 10. Character 1 contains instructions to jump to 11 and execute. In that case when the subroutine is called, character 1 will be pushed down, overwrite the return address and redirect the CPU to address 100 where the shellcode is. The CPU will blindly follow the instructions and execute the shellcode.

### Zoom Out on Exploitation Architecture

As you can see in our example above, the exploitation parts are not connected to each other: embedding a shellcode is totally decoupled from crafting the input file to trigger a certain vulnerability. The triggered vulnerability enables the return address to be overwritten. The instructions, which overwrite the return address, redirect the CPU to the shellcode but other than do not relate to the shellcode's functionalities in any way.

The art of exploits is to orchestrate these independent parts to work together. In a similar way, the art of protection against exploits is to obstruct either the independent parts directly or the orchestration among them.

### Conclusion

We have learned how the basic exploitation framework is implemented on stack based buffer overflows vulnerabilities. Despite its age (the earliest documented attack was the [Morris Worm](https://en.wikipedia.org/wiki/Morris_worm) in 1988), this class is still a prominent part of the threat landscape. We encounter exploitations of these vulnerabilities in various readers, players and Microsoft office documents but also in industrial protocols and services.

In the next Exploitation Demystified post, we'll cover implementation of the exploitation framework on heap-based vulnerabilities.

*** ** * ** ***

## Related Blogs

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Understanding: Affected but Not Vulnerable](https://origin-researchcenter.paloaltonetworks.com/blog/2018/01/understanding-affected-not-vulnerable/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### AI, Quantum Computing and Other Emerging Risks](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/ai-quantum-computing-emerging-risks/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Incident Response](https://www.paloaltonetworks.com/blog/category/incident-response/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### The Case for Multidomain Visibility](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/case-for-multidomain-visibility/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Improving National Security Through Secure AI](https://origin-researchcenter.paloaltonetworks.com/blog/2025/05/improving-national-security-through-secure-ai/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Making Every Dollar Count for Federal Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/2025/03/making-every-dollar-count-federal-cybersecurity/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language