| Author |
Buffer Overflow and Null Bytes |
Adetque
Member
Posts: 3
Location:
Joined: 21.04.10
Rank: Active User |
|
This is probably a really dumb question, but I've searched for a while and couldn't find anything.
Anyway, if I'm trying to exploit a buffer overflow to change the return address of a function, but the address has a null byte in it, how would I get around that? |
|
| Author |
RE: Buffer Overflow and Null Bytes |
wolfmankurd
Member
Posts: 1519
Location: UK
Joined: 30.05.05
Rank: God |
|
Don't think it's stupid, idk the answer. But then I'm no expert.
Is there no way you could use a different return address like a non direct route? where is the null byte?
It's the only solution I can foresee.
BY READING MY POST, YOU ACCEPT IT AS IS AND AGREE TO MY DISCLAIMER OF ALL WARRANTIES, EXPRESS OR IMPLIED, AS WELL AS DISCLAIMERS OF ALL LIABILITY, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL, THAT MAY ARISE FROM THE USE OF THIS (MIS)INFORMATION.
|
 
|
| Author |
RE: Buffer Overflow and Null Bytes |
Adetque
Member
Posts: 3
Location:
Joined: 21.04.10
Rank: Active User |
|
|
I'm trying to change the return address to 004013ef |
|
|
| Author |
RE: Buffer Overflow and Null Bytes |
stdio
Member
Posts: 375
Location: omnipresent
Joined: 06.04.08
Rank: God |
|
you can try a partial overwrite
ie overwrite eip with \xef\x13\x40 #Little endian
But it also depends on the structure of the overflow, how much room you have and if you are able to get there. Keep in mind that with partial overwrites thats the end of your code, all needs to be done before that... no room after.
I'm sorry, I cant hear you over the sound of how awesome I am!
Edited by stdio on 30-06-10 10:17 |
|
|
| Author |
RE: Buffer Overflow and Null Bytes |
Adetque
Member
Posts: 3
Location:
Joined: 21.04.10
Rank: Active User |
|
|
And the partial overwrite worked. It turns out I was actually writing the return address into EBP instead of where I should as well as messing up the return address. Thanks. |
|
|
Main:
