Reputation: 3709
Linux Buffer Overflow Return-to-libc
This question is a follow up with a previous question Previous Question
The previous question was solved by changing the permissions of the executable with execstack. My new problem revolves around another implementation to bypass stack execution protection. This uses return-to-libc and involves executing /bin/sh against the address of system().
I am currently using the following code:
#include <stdio.h>
void func(char *buff){
char buffer[5];
strcpy(buffer, buff);
printf("%s\n", buffer);
}
int main(int argc, char *argv[]){
func(argv[1]);
printf("I'm done!\n");
return 0;
}
My problem occures when I need to overflow the return address of func() to the address 0x00167100. When I perform the buffer overflow the argument I use is $(echo -e "\x00\x71\x16\x00"). The problem however is the least significant \x00 just before \x71 gets removed from my argument. In fact I can use \x00\x00\x00\x00\x00...\x71\x16\x00 and the argument passed in will still be \x71\x16\x00. The end result is the overriden address before some like 0x08001671 when it should really be 0x00167100.
Upvotes: 0
Views: 659
Answers (1)
Reputation: 239321
strcpy() stops copying at the first null byte. This means that you must use an address where at least the last three bytes are non-null.
Perhaps you can jump over the first instruction of the target function.
Upvotes: 3
Related Questions
- Buffer overflow attack without changing the return address
- Return into libc attack
- return to libc attack using a function pointer
- Disabling security features to make Linux vulnerable to buffer overflow
- Are return-to-libc attacks possible now?
- buffer overflow on x86_64 - return to libc attack (linux)
- Overflow buffer in C on x86_64 to call function
- Buffer overflow quandary
- does buffer overflow still exist?
- Return into libc - Illegal instruction