0

This question is a follow up with a previous question Previous Question

The previous question was solved by changing the permissions of the executable with execstack. My new problem revolves around another implementation to bypass stack execution protection. This uses return-to-libc and involves executing /bin/sh against the address of system().

I am currently using the following code:

#include <stdio.h>

void func(char *buff){  
    char buffer[5];
    strcpy(buffer, buff);
    printf("%s\n", buffer);
}

int main(int argc, char *argv[]){
    func(argv[1]);
    printf("I'm done!\n");
    return 0;
}

My problem occures when I need to overflow the return address of func() to the address 0x00167100. When I perform the buffer overflow the argument I use is $(echo -e "\x00\x71\x16\x00"). The problem however is the least significant \x00 just before \x71 gets removed from my argument. In fact I can use \x00\x00\x00\x00\x00...\x71\x16\x00 and the argument passed in will still be \x71\x16\x00. The end result is the overriden address before some like 0x08001671 when it should really be 0x00167100.

Improve this question
1
  • @OliCharlesworth Why am I loosing those particular bytes. Commented Mar 31, 2012 at 0:07

1 Answer 1

Reset to default
3

strcpy() stops copying at the first null byte. This means that you must use an address where at least the last three bytes are non-null.

Perhaps you can jump over the first instruction of the target function.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That was the problem however I have encountered a new problem. There is still the tail \x00 byte and I have extra code after that byte. Any suggestions on getting around the stycpy() null byte problem.
@Blackninja543: The way to get around it is to ensure that your payload doesn't have any nulls other than as the last byte.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.