[framework] Broken NOP Sled :(
mmiller at hick.org
mmiller at hick.org
Fri Oct 13 21:49:18 CDT 2006
On Fri, Oct 13, 2006 at 03:33:56PM -0700, Greg Linares wrote:
> Hello:
>
> Currently I am working on one of my first shellcode exploits and it's a
> simple buffer overflow on a SMTP service.
> After testing throughout the week I have found this:
>
> If I use a buffer string size of 368 I can successfully overwrite EIP
> with whatever value I'd like, and EAX is pointing to my NOP sled code.
>
> So I checked the NTDLL.dll version that the current SMTP is running on
> and found out using any number of addresses I can overwrite EIP with a
> JMP to EAX. So I overwrote EIP with 0x7C8484FD and that makes EIP point
> right into my NOP sled. Unfortanetly that's the end of it as well. For
> whatever reason, the code doesn't continue down the NOP sled and reach
> my shellcode.
Well, what does happen? Are you running on a machine that has hardware
NX? When you attach with a debugger, what exception is raised?
More information about the framework
mailing list