Problem in writing exploits

[thegnome at nmrc.org (Simple Nomad)]

On Tuesday 10 October 2006 10:44, Cristiano de Nunno wrote:
> Hello to everybody.
>
> I followed the tutorial on writing exploits shown in this page:
>
> http://metasploit.com/projects/Framework/documentation.html
>
> (Exploit Module Tutorial (English))
>
> But I actually couldn't exploit the server.
> I admit I'm a total noob and that's why I'm looking for help here.
> I'll explain in fw words the problem I have.
>
> I used the vuln1_*.pm included in the framework documentation, and I
> calculated the offset with pattern0ffset application included, and that is
> ok. The problem is the ESP reg value. The tutorial tell me to pull out this
> value with gdb, writing it in the exploit pm file and increasing it a bit;
> the problem is that each time I run the exploitable server the esp reg
> value changes, and in such a way the exploit doesn't work. My server
> crashes with segmentation fault, but no payload is executed.
> I set up the msfconsole in the right way, with right addresses and port, I
> think the problem is in that esp reg value.
>
> I saw a lot of exploits uses 1 hex value which works on all the machine,
> how is this possible if it changes each run the vulnerable program runs? I
> read about windows programs and their fixed call value to overwrite eip
> reg, and I understand that, but under unix how can I do something similar?
>
> Tnx to everyone :)

Sounds like you are running into one of the security features in the Linux 
kernel (I am assuming Linux). Google for exec-shield for an idea. Usually 
these features are fairly easy to turn off. For example exec-shield is:

        echo "0" > /proc/sys/kernel/exec-shield
        echo "0" > /proc/sys/kernel/exec-shield-randomize

However all of this is way beyond the list charter. I'd recommend a couple of 
books, such as "Gray Hat Hacking", "Hacking: The Art of Exploitation", and 
"The Shellcoder's Handbook".

-SN