From: Dude VanWinkle (dudevanwinklegmail.com)
Date: Wed Jun 06 2007 - 21:56:22 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6 Jun 2007 19:30:37 -0000, erk_3hotmail.com <erk_3hotmail.com> wrote:
> Hello everyone,
>
> I have studied alot on buffer overflows and I understand the theory behind it. Thing is, any example I follow says once you can overwrite the EIP you can control the flow of the program (in a nutshell).
>
>
> So here's my really basic BOF:
>
>
> #include <stdio.h>
>
> #include <string.h>
>
> int main (int argc, char *argv[]) {
>
> char name[4];
>
> strcpy(name, argv[1]);
>
> printf(name);
>
> }
>
>
> if you enter: 1234AAAABBBB the eip is 0x42424242
>
>
> When i try to put in a return address though, such as 1234AAAA\xEE\xEE\xEE\xEE it doesnt go to that address. To my understanding, shouldn't the fault come up at address 0xEEEEEE ?
>
> Sorry if this sounds stupid to some of you, but I think once i get around this little bump in the road I can be on my way.
>
>

I am kinda new at this stuff as well, but did you try any other
locations? \xee might be considered "bad characters", kinda like \x00
and \x0a. AFAIK If you put an address that is also an instruction,
then you will mess up the stack.

-JP

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]