NULL characters in address for buffer overflow
I am trying to reproduce a buffer overflow. The address that I am trying to pass in has two null hex characters in it (i.e. 0x00547e00). There are also 4 more bytes that come after it (i.e 0x11111111 and 0x22222222). If I pass these in using gdb, it skips over the null characters when writing to th开发者_开发知识库e memory i want (i.e. 1111547e 22221111 2222####). Is there a character I can pass in that isnt a null character but doesnt affect my address?
one solution I thought of was to find some memory that was already zero'd out, have the first address point to it, then overwrite with garbage until getting to that zero'd out memory, where i overwrite it. This only works if I have 2 bytes of memory, however, and I am trying to pass 6.
If you are trying to avoid zeros in shellcode, there are ways to do that which pretty much every shellcode-writing tutorial covers.
Now the final part with overwriting the address will be tricky, depending on what kind of buffer overflow is used.
In a memcpy-based one, \0 chars are no problem, however (and your question is vague enough that I'll have to write this) you most likely cannot enter these to stdin with a keyboard / on the commandline, so you'll need to input the data from some other source, e.g. pipe it: ./buffercrash < exploit.txt
With strcpy, you cannot have \0 chars, except for the last one, since it will also terminate the destination string, which means that you can perfectly have the most significant byte set to \0. Now your problem remains the least significant byte: If it is a stack-address, you may be lucky by adding some additional environment variables, so that your target address changes accordingly. If it's just the address for shellcode, you can just add +1 to the address and insert another filling character in front of your shell code.
So it all depends on the context and what exactly you are trying to do, however once you have a buffer-overflow vulnerability, \0 may stop straightforward approaches, but with some creativity, there'll most likely be something that can be achieved even without \0 chars.
精彩评论