I am trying to figure out a way to overwrite return address of a function containing this code:
length = bigger than target size but smaller than return address offset from beginning of target array.
for (i = 0; i <= length; i++) target[i] = argument[i];
Argument is what I pass in from input.
Local variable, length, is big enough that I can overflow argument to overwrite i and length.
Let's assume offset of return address from start address of target is 300.
I need to overwrite
i to be some number smaller than 300 (0x12c) and
length to be some number larger than 300.
Since this is 32-bit system, 0x0000012c integer contains null character so I cant pass it in through the argument.
Is there a way to overwrite return address in this case?
Sounds like a buffer overflow challenge.
Your right in most cases you cannot write a null byte, such as if the buffer overflow is caused by one of the unsafe string functions like strcpy(). In this case you are moving bytes with a for loop, so if you can influence the length value (this value is probably on the stack...) then it maybe possible to copy null bytes.
Another possibility is looking at the data type. If it is signed, then very large values would be interpreted as a negative number. Brush up on "arithmetic overflows", although in this attack you are overwriting a numeric value.
User contributions licensed under CC BY-SA 3.0