Opps, what a stupid I am.
I used '\x05\x05\x05\x05' instead of '\x90\x90\x90\x90' for NOP operation.
But '\x05' opcode needs 4bytes operand, so there's crash if alignment didn't match.
Here goes revised exploit code.
It adds '\x90' 8 bytes just before shellcode.
Opps, what a stupid I am.
I used '\x05\x05\x05\x05' instead of '\x90\x90\x90\x90' for NOP operation.
But '\x05' opcode needs 4bytes operand, so there's crash if alignment didn't match.
Here goes revised exploit code.
It adds '\x90' 8 bytes just before shellcode.
<!--
MS07-004 VML integer overflo...
[ more ]