Information Security
exploit buffer-overflow
Updated Sun, 17 Jul 2022 03:32:11 GMT

Buffer overflow with zeros


I'm starting to learn about buffer overflow, and I'm trying to change the contents of the return address to a specific location using gdb, but the problem is that the address starts with some zeros.

For example, I want to change the return address to: 0x0000555555554816. I tried to use Perl and passing this address as $(perl -e 'print "\x00\x00\x55\x55\x55\x55\x48\x16" x 10') but bash ignored the \x00 because this is the null byte.

Does anyone know other alternatives to work around this problem?




Solution

This is a very prevalent problem while exploiting 64bit programs. My guess on why this is happening is , your vulnerable program is using strcpy , any null byte you provide as payload will act as string delimiter and there by stopping anymore overflow. There is no one universal way of overcoming this.I usually like to go about this way:

  • Find ROP gadgets that would effectively change the value on the stack to the return address you want.
  • Make sure the ROP gadaget's addresses do not have null bytes.
  • If the first step is too hard , use ROP gadgets directly to execute a execve syscall.