Perl Question

Writing to an address starting with 0x00 with a Perl script

Reading the book "Hacking - The Art of Exploitation"; I am following the writer as he changes the execution flow by overflowing the stack and changing the return address of a function. (Specifically, page 135-136) He manages to do this with a Perl script, entering the return address as a command line argument 10 times:

$ ./auth_overflow2 $(perl -e 'print "\xbf\x84\x04\x08"x10')

is the return address.

I'm trying to do the same, but my return address starts with 0x00. Replacing \x08 with \x00, the null character becomes omitted, therefore address I want to enter is shifted by a byte in the memory map. How can I work around this?

Answer Source

Command line-arguments are NUL-terminated strings. Therefore, you can't pass a string containing a NUL. It would be taken to be the end of the string.

$ perl -e'system("echo", "abc\x00def", "ghi\x00jkl");'
abc ghi

Knowing this, the shell is stripping out the NULs when building the argument.

$ perl -e'printf "%v02X\n", $_ for @ARGV' "$( perl -e'print "\xbf\x84\x04\x08" x 5' )"

$ perl -e'printf "%v02X\n", $_ for @ARGV' "$( perl -e'print "\xbf\x84\x04\x00" x 5' )"

auth_overflow2 should be modified to take an escaped form of the address, e.g. the address in hex.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download