When looking at the memory, the data is represented in hexadecimal characters 0 - F, each of which represents a value of 0 - 15. For example, the value 0 in hexadecimal would be represented as 0000 in binary and the representation of F would be 1111 in binary.
Using hexadecimal makes it easier to read memory addresses and easier to write them as well. Since we have 32-bit memory addresses, there would be 32 positions for specific bits. Since each hexadecimal value represents four bits, the equivalent representation can be done in eight hexadecimal characters. Keep in mind these hexadecimal characters are paired so that they represent four pairs.
Intel x86 platforms use a little endian notation for the memory addressing, which means the least significant byte comes first. The memory address you read has to be reversed to generate the little endian equivalent. To understand manual conversion to little endian, take a look at the following image and note that you are reversing the order of the pairs, not the pairs themselves. This is because the pair represents a byte, and we order by the least significant byte first, not the bit, if that was the case the hexadecimal character would change as well, unless it was an A or F.
Do not worry we have a cheat, you will often see that Perl exploits written with specific memory addresses loaded into variables with a pack('V', 0xaa01f24d). This is a neat feature of Perl that allows you to load memory values in little endian notation directly into a variable. Python's equivalent is struct.pack('<I', 0xaa01f24d), which makes representation of memory addresses much simpler. If you look at your Metasploit modules, you can see the intended action as well represented in this manner [target['Ret']].pack('V'). This provides the return action for the specified target based on the memory address passed.
Note
You know when you run your exploit in Metasploit and you chose a target such as Windows XP SP3 or Windows 2008 R2. That target is usually the specific memory address for the EIP to use to call a specific action. Typically, it is jmp esp to execute the injection, you will see more about reversing Metasploit modules later in this Chapter.
We mentioned earlier that we are trying to overwrite the EIP register with a memory value that points to an instruction. That instruction will be chosen based on what data we can overwrite while we are building our exploit. The EIP is the one area in your exploit code, where you have to worry about Endianness; the rest of the exploit is straight forward.
Note
The naming concept of Little Endian and Big Endian came from Jonathan Swift's book Gulliver's Travels. As a simple synopsis of the book, the Little Endians believed in breaking eggs from the small side of the egg and the Big Endians believed in breaking their eggs from the big side. This same concept is what has been applied to memory structure naming conventions.