Re: problem in off by one overflow

[Alex <alex00882007 () gmail com>]

On Mon, 07 Feb 2005 09:08:45 -0800 (PST), Breno Pinto
<breno () secforum com br> wrote:
> Hi,
>
> I have problem to exploit an off by one vulnerability. When i overwrite ebp with some data and i´t point to my NOPS, 
> i receive an SIGSEGV message.
>
> SIGSEGV message in 0x90909090 ??
>
> I´m using red hat 7.3 and gcc 2.95.
>
> Anybody knows why 0x90909090 broke my exploitation ?
>
> Thanks
>
>
> Breno
Is eip pointing to 0x90909090? The problem is quite simple. 
The base pointer is not over-written with the address of the
destination. Instead, it should be over-written with a pointer to the
address of your destination.

The EIP you see there is most likely the first 4 bytes of your
shellcode, NOP=0x90 on x86 intel.