hi all ,
i read about exploitation these days , and i started practice with writing emplementation for the libPNG exploit , but the problem is that i'am not sure about what's really happenning in stack , for example when i point "return address" to the end of shelcode at top of the stack it works, and when i point to the NOPs at button of stack it also works.
any one could help , PLZ do
thanx in advance

PS: i generate the pic then display with GQview.
here's my stack dump :
#0 0xbffff519 in ?? ()
#1 0x00000008 in ?? ()
#2 0x00000000 in ?? ()
#3 0x00000000 in ?? ()
#4 0x00000008 in ?? ()
#5 0xbffff45c in ?? ()
#6 0x00000010 in ?? ()
#7 0x204e0002 in ?? ()
#8 0x00000000 in ?? ()
#9 0x00000002 in ?? ()
#10 0x00000001 in ?? ()
#11 0x00000000 in ?? ()
#12 0xbffff489 in ?? ()
#13 0xbffff489 in ?? ()
#14 0xbffff489 in ?? ()
#15 0x90909090 in ?? ()
#16 0x90909090 in ?? ()
#17 0x90909090 in ?? ()
#18 0x90909090 in ?? ()
#19 0x90909090 in ?? ()
#20 0x90909090 in ?? ()
#21 0x90909090 in ?? ()
#22 0x90909090 in ?? ()
#23 0x90909090 in ?? ()
#24 0x90909090 in ?? ()
#25 0x90909090 in ?? ()
#26 0x90909090 in ?? ()
#27 0x90909090 in ?? ()
#28 0x90909090 in ?? ()
#29 0x90909090 in ?? ()
#30 0x90909090 in ?? ()
#31 0x90909090 in ?? ()
#32 0x90909090 in ?? ()
#33 0x90909090 in ?? ()
#34 0x90909090 in ?? ()
#35 0x90909090 in ?? ()
#36 0x90909090 in ?? ()
#37 0x90909090 in ?? ()
#38 0x90909090 in ?? ()
#39 0x90909090 in ?? ()
#40 0xe3f7db31 in ?? ()
#41 0x435366b0 in ?? ()
#42 0x89534353 in ?? ()
#43 0x80cd4be1 in ?? ()
#44 0x6652c789 in ?? ()
#45 0x43204e68 in ?? ()
#46 0xe1895366 in ?? ()
#47 0xd0f6efb0 in ?? ()
#48 0x89575150 in ?? ()
#49 0xcd66b0e1 in ?? ()
#50 0x4366b080 in ?? ()
#51 0x5080cd43 in ?? ()
#52 0xe1895750 in ?? ()
#53 0xcd66b043 in ?? ()
#54 0x89d98980 in ?? ()
#55 0x493fb0c3 in ?? ()
#56 0xe24180cd in ?? ()
#57 0x6e6851f8 in ?? ()
#58 0x6868732f in ?? ()
#59 0x69622f2f in ?? ()
#60 0x5351e389 in ?? ()
#61 0xf4b0e189 in ?? ()
#62 0x80cdd0f6 in ?? ()
#63 0x00000019 in ?? ()
#64 0x081fdcd8 in ?? ()
#65 0xbffff560 in ?? ()
#66 0xbffff778 in ?? ()
#67 0x0808d1c3 in image_new ()

The stack "grows" down in memory, so the NOPs at the end are actually first to be executed. They do nothing but provide a bigger "landing pad" for the stack smashing to hit. Once hit, they get executed, do nothing but lead the processor right in to the trap.

There's a tutorial on how it all works somewhere, "Stack smashing for fun and profit"?

thanx for replaying,
i did read "smashing the stack" many times, but there are differencies between what is written and what really happens due to change in kernel and GCC.
for example when u run the examples in "smashing the stack " ,the return address'
wont work because due to change in kernal and gcc there are additional 8 bytes after the frame pointer (after gcc 1.96 i think ) ....etc.

what i need to understand now is why when i point the ret address to the end of stack
it works? (i.e in the stack dump above jump to byte #66)


thanx for ur help .