vulnserver - Can't find JMP ESP in ntdll.dll

[w01f]

This tutorial shows how to find a JMP ESP in nttdll.dll

http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/

3. Find address for EIP

In this step we have to check the registers and the stack. We have to find a way to jump to our buffer to execute our code. ESP points to the beginning of the C part of our buffer. We have to find a JMP ESP or CALL ESP instruction. Do not forget, that the address must not contain bad characters!

Open the executable modules list in OllyDbg (press the E letter on the toolbar). Select a module, for example the ntdll.dll. (Vulnserv would not be a good choice as its address contains zero!)

Press right click on the code and select Search for/All commands. Enter JMP ESP. A couple of possible address is displayed. Select one.

I've followed the steps but still couldn't find JMP ESP instruction in nttdll.dll.

JMP ESP is not there

[digininja]

At this point you've gone beyond what I can help with, I work at the web app layer, not all the way down here.

 

Are you working in Windows 7? Try searching some of the other modules and try searching for something that you know exists like the XOR EAX,EAX in your last screenshot to see if you can find that. If you can't, then something is wrong with the search.