Metasploit mailing list archives
Broken NOP Sled :(
From: Glinares at PCOnsite.com (Greg Linares)
Date: Fri, 13 Oct 2006 15:33:56 -0700
Hello: Currently I am working on one of my first shellcode exploits and it's a simple buffer overflow on a SMTP service. After testing throughout the week I have found this: If I use a buffer string size of 368 I can successfully overwrite EIP with whatever value I'd like, and EAX is pointing to my NOP sled code. So I checked the NTDLL.dll version that the current SMTP is running on and found out using any number of addresses I can overwrite EIP with a JMP to EAX. So I overwrote EIP with 0x7C8484FD and that makes EIP point right into my NOP sled. Unfortanetly that's the end of it as well. For whatever reason, the code doesn't continue down the NOP sled and reach my shellcode. Is this a normal problem? What am I doing wrong here? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20061013/b709a57e/attachment.htm>
Current thread:
- Broken NOP Sled :( Greg Linares (Oct 13)
- Broken NOP Sled :( mmiller at hick.org (Oct 13)
- Broken NOP Sled :( Greg Linares (Oct 16)
- Broken NOP Sled :( mmiller at hick.org (Oct 13)