I think I just solved my problem.

I found another JMP ESP instruction in users32.dll which doesn't contain any infamous characters. I am now able to reach the beginning of my shell code...

I can feel it, i is so close!!!

Thanks guys, you are really helping me here!!

First, I could easily get the exploit on the internet, but I want to learn, so here I am!

Also, here is what I was successful doing:
1) I can set, let say, \x41\x41\x41\x41 in EIP (basicaly, I control EIP)
2) I successfully encoded my shellcode.
3) I have added a 16 bit long NOP sled at the beginning of ESP and my shellcode is right after.
4) I have verified that my shellcode in the memory of the program is identical to the one I have in my code. It is indeed identical.

I keep trying...

I just checked and like I thought, it becomes too big!

When I "msfencode" \x0A\xAF\xD8\x77, I get:

"\xda\xc9\xd9\x74\x24\xf4\xbb\x6d\x18\xd7\xa6\x2b\xc9\x5a" +
"\xb1\x05\x83\xc2\x04\x31\x5a\x14\x03\x5a\x79\xfa\x22\xfa" +
"\xf9\xca\x8d\x5f\x81\x6b\x48\x3c\x09\x28\x6c\xe0\x91\x87" +
"\xbb\x12"

This can't fit in EIP.

I am so humble now...  But I will mak it work!!! 

I know now that I can encode my shellcode using the msfencode or something similar. So that is fine now.

BUT, my problem is the my ESP register needs to get the value \x0A\xAF\xD8\x77 but I have a problem with \x0A... Can I encode a value in EIP?

I will check right now!

Thanks mambru, I will read it tonight.

Also, I will post my solution.

I forgot to say I am using a VPN. I first thought my firewall could be blocking these characters, but I soon woke up and realize the VPN encrypts everything. So it isn't my firewall.

Could it be an encoding problem of some sort?

Hi,

I have an odd problem when trying to write my own exploit. I am doing the "extra mile" exercises for Win32 the Buffer-Overflow in the PWB course. So everything I am doing is legal here. Everything goes very well but one little thing.

I understand that injecting a null byte (\x00) will cause problems during the execution. But I have discovered that when I try to inject bytes ranging from \x0A to \x0F, I get a similar problem. Here is an example:

Let's say I want to inject the following code:
\x41\x42\x43\x44\x45\x0A\x46\x47\x48\x49

The debugger will show that the end result is something like:
\x41\x42\x43\x44\x45\x5A\x6B\x31\x5C\x61

But if I remove this \x0A character, I get the full message copied at the proper location: \x41\x42\x43\x44\x45\x46\x47\x48\x49

Basically, it seems I successfully copy my code, but starting at one of the mentioned characters, I only get garbage...

Any REAL experts? 

Thanks guys,

Ketchup, I didn't think of ISP blocking stuff, but it makes so much sense... I am still learning a lot!!!

I will be very busy for another month or so (I am finishing OSCP...), but we should create a little game among some us. This could be a great way of learning, making contact and have fun!

Hey,

@mtgarden: I have showed the video to the developers, managers and even a director where I work. I paused the video every  minute or so and explained in simple words what he was doing. It was very, very well received!!!

I will probably start demos and presentations during lunch time on topics such as "How to secure a wireless router", "SQL Injection", "How to code securely", etc...

Even if it wasn't my goal at all, it kind of put me on the map! 

I encourage you guys to do the same.

Ok,  let's say I can gather 20 teenagers.

After about 10 hours of training, demonstrations and exercises, what kind of challenge should I give them?

I guess I will know their level once I can evaluate them, but with CTF in mind, what kind of vulnerabilities should I expect them to compromise? I just can't throw a reverse engineering problem at them...

So password cracking, ARP cache poisoning, maybe some basic SQL injection?!?

Humm...

I also wonder if this teenager would understand enough about computers to even start such a project. They probably wouldn't know about even a router, what really is a firewall, yet alone TCP/IP, UDP, ports, NAT, etc.

Would anyone know about a 15 year old superuser who could even slowly start learning about these subjects?

I may be too optimistic... 

Thanks guys!

It's good to see that I am not the only one thinking about this. I will try to meet the school director soon and see if I have too many road blocks.

If I do, I may look at the College level instead!

@Equix3n Thanks for offering your help!!!

I will keep you guys posted.

Thanks chrisj,

I agree with you, I will be responsible of this kids until they are picked up. Also, I will start with one school, talk to the teachers and the director before I "see too big"!

My expectation is that any school will be afraid of us using their network. So I though of supplying the server, the switches, the cables, etc and the students bring their laptops. And since I wanted to put them in teams anyway, if one doesn't have a laptop, it should be alright.

But what about the CTF part. I don't want it to be too tough, but I want them to have a good challenge nevertheless. So what about this:

1) We meet twice a month and I give them a lecture on a single topic. Fro example, scanning with nmap using 4 or 5 switches.

2) The same day, they practice against the lab's server. Again for example, they use nmap to discover ports and enumerate services.

3) Every month or so, there is a bigger challenge where they will apply the knowledge they have learned recently. Ex: Reconnaissance, scanning, and an easy hack.

I also really, really want to put a big emphasis on ethic and defense!

It is a vast field and my biggest challenge will probably be to choose among many, many subjects...

Me, I believe you jonas.

But if you start reading the other threads, you will see that many newcomers are trying to get help on how to do bad stuff and no one here wants to be part of that...

That being said, have fun and brute force these services! 

I was going to start by visiting high schools and try to talk to IT teachers and try to get some ideas from them to. They know their students after all...

Then I could do a little presentation to push the interest. I will probably have to write a letter to parents, school directors, etc.

Then we can start a web site, find a place to gather, do a few presentations and demos to really get the interest going. Then as you said Equix3n, have a workshop and organize a competition.

And you are right ETHICAL would be the keyword here...