Hello I’ve some trouble to follow how to determine the length of the shellcode.
If I run the program with
(gdb) run $(python3 -c 'print("\x55" * (1040 - 100 - 150 - 4) + "\x90" * 100 + "\x44" * 150 + "\x66" * 4)')
My stack looks broken
(gdb) x/2000xb $esp+550
0xffffd376: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55
0xffffd37e: 0x55 0x55 0xc2 0x90 0xc2 0x90 0xc2 0x90
<SNIP>
0xffffd446: 0xc2 0x90 0x44 0x44 0x44 0x44 0x44 0x44
0xffffd44e: 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44
Adding 0x55 works. Adding the no-op 0x90 looks wrong to me where do the 0xc2 instruction came from? This will result in the wrong size and the overwrite of eip will not work.
I’ve the same issue with testing for bad chars, the result the same c2 instruction all over the place.
pwn disasm 'c2' -c i386
0: c2 .byte 0xc2
I’m not sure what this does…
Thanks for any help or tips to understand whats going on here.
Update
I figured out that the problem came from python3.
If I run the program as follow
(gdb) run $(python -c "print'\x55' * (1040 - 100 - 150 - 4) + '\x90' * 100 + '\x44' * 150 + '\x66' * 4")
Everything works as expected. I did some research why it is not working with python3 I found this interesting
Solution
To do this with python3 I wrote a file
import sys
payload = b"\x55" * (1040 - 100 - 150 - 4) + b"\x90" * 100 + b"\x44" * 150 + b"\x66" * 4
sys.stdout.buffer.write(payload)
And now if I run the program with
(gdb) run $(python3 ./gdb_py3_payloader.py)
It works as expected. And the stack is same as in the module.