Home/ Questions/Q 7734981
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T07:23:11+00:00

This question is a follow up with a previous question Previous Question The previous

  • 0

This question is a follow up with a previous question Previous Question

The previous question was solved by changing the permissions of the executable with execstack. My new problem revolves around another implementation to bypass stack execution protection. This uses return-to-libc and involves executing /bin/sh against the address of system().

I am currently using the following code:

#include <stdio.h>

void func(char *buff){  
    char buffer[5];
    strcpy(buffer, buff);
    printf("%s\n", buffer);
}

int main(int argc, char *argv[]){
    func(argv[1]);
    printf("I'm done!\n");
    return 0;
}

My problem occures when I need to overflow the return address of func() to the address 0x00167100. When I perform the buffer overflow the argument I use is $(echo -e "\x00\x71\x16\x00"). The problem however is the least significant \x00 just before \x71 gets removed from my argument. In fact I can use \x00\x00\x00\x00\x00...\x71\x16\x00 and the argument passed in will still be \x71\x16\x00. The end result is the overriden address before some like 0x08001671 when it should really be 0x00167100.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    strcpy() stops copying at the first null byte. This means that you must use an address where at least the last three bytes are non-null.

    Perhaps you can jump over the first instruction of the target function.

    • 0