Metasploit mailing list archives
Broken NOP Sled :(
From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 13 Oct 2006 21:49:18 -0500
On Fri, Oct 13, 2006 at 03:33:56PM -0700, Greg Linares wrote:
Hello: Currently I am working on one of my first shellcode exploits and it's a simple buffer overflow on a SMTP service. After testing throughout the week I have found this: If I use a buffer string size of 368 I can successfully overwrite EIP with whatever value I'd like, and EAX is pointing to my NOP sled code. So I checked the NTDLL.dll version that the current SMTP is running on and found out using any number of addresses I can overwrite EIP with a JMP to EAX. So I overwrote EIP with 0x7C8484FD and that makes EIP point right into my NOP sled. Unfortanetly that's the end of it as well. For whatever reason, the code doesn't continue down the NOP sled and reach my shellcode.
Well, what does happen? Are you running on a machine that has hardware NX? When you attach with a debugger, what exception is raised?
Current thread:
- Broken NOP Sled :( Greg Linares (Oct 13)
- Broken NOP Sled :( mmiller at hick.org (Oct 13)
- Broken NOP Sled :( Greg Linares (Oct 16)
- Broken NOP Sled :( mmiller at hick.org (Oct 13)