Hello I’ve some trouble to follow how to determine the length of the shellcode.
If I run the program with
(gdb) run $(python3 -c 'print("\x55" * (1040 - 100 - 150 - 4) + "\x90" * 100 + "\x44" * 150 + "\x66" * 4)')
My stack looks broken
(gdb) x/2000xb $esp+550 0xffffd376: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0xffffd37e: 0x55 0x55 0xc2 0x90 0xc2 0x90 0xc2 0x90 <SNIP> 0xffffd446: 0xc2 0x90 0x44 0x44 0x44 0x44 0x44 0x44 0xffffd44e: 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44
0x55 works. Adding the no-op
0x90 looks wrong to me where do the
0xc2 instruction came from? This will result in the wrong size and the overwrite of
eip will not work.
I’ve the same issue with testing for bad chars, the result the same
c2 instruction all over the place.
pwn disasm 'c2' -c i386 0: c2 .byte 0xc2
I’m not sure what this does…
Thanks for any help or tips to understand whats going on here.
I figured out that the problem came from python3.
If I run the program as follow
(gdb) run $(python -c "print'\x55' * (1040 - 100 - 150 - 4) + '\x90' * 100 + '\x44' * 150 + '\x66' * 4")
Everything works as expected. I did some research why it is not working with python3 I found this interesting
To do this with python3 I wrote a file
import sys payload = b"\x55" * (1040 - 100 - 150 - 4) + b"\x90" * 100 + b"\x44" * 150 + b"\x66" * 4 sys.stdout.buffer.write(payload)
And now if I run the program with
(gdb) run $(python3 ./gdb_py3_payloader.py)
It works as expected. And the stack is same as in the module.