It seems 64 bits adresses must end in two null bytes. But strcpy will copy only one null byte in the entire payload.
Asked
Active
Viewed 93 times
1 Answers
2
You are correct. With strcpy() you can put at most one gadget.
The second null byte is often not a problem, as you often find a null byte there anyway from a previous address or integer.
If you need to put a complete ROP chain, you can check if you can trigger the bug repeatedly and fill the buffer in reverse with strings of decreasing length.
manduca
- 1,111
- 7
- 10