Metasploit mailing list archives
No room for shellcode
From: allendb760 at googlemail.com (DB Allen)
Date: Sun, 3 May 2009 19:19:44 +0100
Thanks for the help guys, much appreciated - I'll try adjusting ESP and see if that helps any - will also give the EggHunter method a go too, not tried that before. Out of interest, has anyone ever seen an overflow fail when changing shellcode. As in the buffer overflow doesn't even occur.. I thought there may be a bad character in the shellcode, which was why it was not landing up in the stack properly, so generated new shellcode set to exclude the byte I thought could be causing problems, and the overflow didn't even occur, was sending exactly the same data for the initial buffer, just different shellcode... It's irritated the hell outta me! Thanks, DB On Sun, May 3, 2009 at 10:59 AM, Patrick Webster <patrick at aushack.com>wrote:
Yeah try adjusting ESP first... Otherwise you can use either the existing jmp esp return address to hit your nops, but instead swap the nops for a jump backwards to the start of the 'A's (5 bytes), or use the EggHunter payload (about 32 bytes) which will search the process space for the payload & execute it... As a reference, I used this for the Ximati http server module due to similar space issues. -Patrick
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090503/af6415d0/attachment.htm>
Current thread:
- No room for shellcode DB Allen (May 02)
- No room for shellcode egypt at metasploit.com (May 02)
- No room for shellcode Patrick Webster (May 03)
- No room for shellcode DB Allen (May 03)
- No room for shellcode H D Moore (May 03)
- No room for shellcode DB Allen (May 03)
- No room for shellcode H D Moore (May 03)
- No room for shellcode DB Allen (May 04)
- No room for shellcode Patrick Webster (May 05)
- No room for shellcode Patrick Webster (May 03)
- No room for shellcode egypt at metasploit.com (May 02)
- No room for shellcode Kim Guldberg (May 03)