Broken NOP Sled :(

[mmiller at hick.org (mmiller at hick.org)]

On Fri, Oct 13, 2006 at 03:33:56PM -0700, Greg Linares wrote:
> Hello:
>  
> Currently I am working on one of my first shellcode exploits and it's a
> simple buffer overflow on a SMTP service.
> After testing throughout the week I have found this:
>  
> If I use a buffer string size of 368 I can successfully overwrite EIP
> with whatever value I'd like, and EAX is pointing to my NOP sled code.
>  
> So I checked the NTDLL.dll version that the current SMTP is running on
> and found out using any number of addresses I can overwrite EIP with a
> JMP to EAX.  So I overwrote EIP with 0x7C8484FD and that makes EIP point
> right into my NOP sled. Unfortanetly that's the end of it as well.  For
> whatever reason, the code doesn't continue down the NOP sled and reach
> my shellcode.

Well, what does happen?  Are you running on a machine that has hardware
NX?  When you attach with a debugger, what exception is raised?