Writing to an address starting with 0x00 with a Perl script

Question

Writing to an address starting with 0x00 with a Perl script

Reading the book "Hacking is the art of exploitation"; I follow the author when he changes the thread of execution, overflowing the stack and changing the return address of the function. (In particular, p. 135-136). He manages to do this with a Perl script by entering the return address as a command line argument 10 times:

$ ./auth_overflow2 $(perl -e 'print "\xbf\x84\x04\x08"x10')

where 0x080484bf is the return address.

I am trying to do the same, but my return address starts at 0x00. Replacing \ x08 with \ x00, the null character is omitted, so the address I want to enter is shifted byte on the memory card. How can I get around this?

+7

bash perl

Çetin Köktürk Sep 29 '16 at 15:36

source share

1 answer

ikegami · Accepted Answer · 2016-09-29T15:58:17+0000

Command line arguments are null-terminated strings. Therefore, you cannot pass a string containing NUL. This will be the end of the line.

 $ perl -e'system("echo", "abc\x00def", "ghi\x00jkl");' abc ghi

Knowing this, the shell allocates NUL when constructing the argument.

 $ perl -e'printf "%v02X\n", $_ for @ARGV' "$( perl -e'print "\xbf\x84\x04\x08" x 5' )" BF.84.04.08.BF.84.04.08.BF.84.04.08.BF.84.04.08.BF.84.04.08 $ perl -e'printf "%v02X\n", $_ for @ARGV' "$( perl -e'print "\xbf\x84\x04\x00" x 5' )" BF.84.04.BF.84.04.BF.84.04.BF.84.04.BF.84.04

auth_overflow2 should be changed to get an escaped address form, for example. address in hexadecimal format.

Writing to an address starting with 0x00 with a Perl script

More articles: