Broken NOP Sled :(

[Glinares at PCOnsite.com (Greg Linares)]

Thanks for the response, actually I got it to work instead of using a
JMP to EAX I used a POP EBP, RET combination to restore the base pointer
and that ran the shellcode successfully.

Thanks for reminding me about NX, although after toying with it, it
seems the exploits works with or without the NX bit (in this case DDE
for Windows 2003 SP1)



-----Original Message-----
From: mmiller at hick.org [mailto:mmiller at hick.org] 
Sent: Friday, October 13, 2006 7:49 PM
To: framework at metasploit.com
Subject: Re: [framework] Broken NOP Sled :(

On Fri, Oct 13, 2006 at 03:33:56PM -0700, Greg Linares wrote:
> Hello:
>  
> Currently I am working on one of my first shellcode exploits and it's
a
> simple buffer overflow on a SMTP service.
> After testing throughout the week I have found this:
>  
> If I use a buffer string size of 368 I can successfully overwrite EIP
> with whatever value I'd like, and EAX is pointing to my NOP sled code.
>  
> So I checked the NTDLL.dll version that the current SMTP is running on
> and found out using any number of addresses I can overwrite EIP with a
> JMP to EAX.  So I overwrote EIP with 0x7C8484FD and that makes EIP
point
> right into my NOP sled. Unfortanetly that's the end of it as well.
For
> whatever reason, the code doesn't continue down the NOP sled and reach
> my shellcode.

Well, what does happen?  Are you running on a machine that has hardware
NX?  When you attach with a debugger, what exception is raised?