C Buffer overflow - Return address not expressible in ASCII

Question

I'm trying to overflow a buffer of 64bytes.
The buffer is being filled by a call to gets

My understanding is that I need to write a total of 65 bytes to fill the buffer, and then write another 4 bytes to fill the stack frame pointer.
The next 4 bytes should overwrite the return address.

However, the address that I wish to write is 804846A.

• Is this same as 0x0804846A? If so, I'm finding it hard to enter 04 (^D)
• Should this be entered in reverse order? (6A 84 04 08)?
  • Some initial experiments that I was running with input being ZZZZZ..(64 times)..AAAABBBB ended up making the ebp register to be 0x42414141

The architecture in question is x86.

update: I managed to get ASCII codes 0x04 and 0x08 working. The issue seems to be with 0x84. I tried copying the symbol corresponding to 0x84 from http://www.ascii-code.com which is apparently „. However, C seems to resolve this symbol into a representation greater than 1 byte.

I also tried to use ä as mentioned in http://www.theasciicode.com.ar
This also resulted in a representation greater than 1 byte.

Answer 1

You seem to be depending on implementation details of a particular compiler and CPU architecture. For example:

• Not all CPU architectures use a frame pointer at all.
• Endianness varies across different CPUs, and this would affect whether you need to "reverse" the bytes or not.
• Where the stack metainformation (the frame pointer, etc.) is located with respect to a given local variable will differ between compilers, and even between the same compiler using different optimization options.