Exploiting functions like strcpy() relies on the fact that the payload string must not contain zero bytes that would terminate the copy function. If the payload contains x86_64 addresses (e.g. in order to overwrite a return address on the stack), then there is a problem that x86_64 addresses contain zero bytes. Is there a workaround for it?
Asked
Active
Viewed 208 times
3
-
I do see a lot of existing results for this https://stackoverflow.com/a/11083985/1974978 – multithr3at3d Jun 19 '18 at 16:07
1 Answers
1
x86_64 is little endian so the mandatory zero bytes come at the end of the address/string and are already present in the existing return address. That means you don't need to write those last few bytes. You might still have problems if there were zero bytes less significant than the most significant non-zero byte. These are best avoided by careful target selection.
William Hay
- 592
- 2
- 10