1

So I try to understand stack based buffer-overflow but now I am stuck. This is the vulnerable function (32 bit ELF).

int test(char* input)
{
    char buf[100];
    printf("Buffer is at %p\n", &buf); // leak helper
    strcpy(buf, input);

    return 1;
}

I already calculated to number of bytes until the eip is overwritten (112 bytes). The exploit looks like this roughly like this shellcode + '\x55' * (116 - len(shellcode) - 4) + '\x??\x??\x??\x??'

The last 4 bytes are my return address and I get this value from the leak in the code (printf of buf address). The value of the address is something like 0x????ffff. Now when I fill the ?? with the little endian format the value from the leak \xff get's converted to 0xc3 0xbf when I look into the stack memory. What am I doing wrong ?

Improve this question
4
  • Welcome to the community. Please kindly share checksec output of the binary as well Commented Jun 21, 2023 at 15:34
  • I found the solution. My mistake was python3. I tried to generate the input in gdb with $(python3 -c ".....") but python3 handels stirngs and bytes differently than python2. So I switched to perl run $(perl -e 'print "..."') and now it works. Commented Jun 22, 2023 at 16:37
  • I think you need to format it as ASCII. It's definitely possible to achieve that with Python3 Commented Jun 23, 2023 at 16:29
  • Since this was a syntax error, this is not a security question. Commented Jan 28, 2024 at 11:24

1 Answer 1

Reset to default
1

The problem was using python3 because it online example python2 was used to create the input and python3 handels strings and bytes differently that python2.

To solve my issue I switched to perl perl -e 'print "..."'.

Improve this answer