0

While exploiting a strcpy() buffer overflow in Win XP, I used the address of ESP after the crash to overwrite EIP. The address contained a null byte so it did not work, so I found a jmp esp instruction and used that instead. Then I ran the program and it worked fine. Then I realized that the shellcode (from msfpayload) also had null bytes allover. However, it executed fine and I got a reverse shell. Why does null bytes in the shellcode not corrupt the rest of the payload whereas a null byte in the return address corrupted the rest of the payload?

Improve this question
4
  • A jump to ESP will implicitly overwrite EIP with ESP value, in fact overwriting EIP is exacly what jump does.
    – Havenard
    Commented Jun 20, 2015 at 19:57
  • Sorry, I must of not worded my question correctly. What I meant to ask, is why did my nullbytes in the shellcode not corrupt the rest of the shellcode?
    – Mark Hoglund
    Commented Jun 20, 2015 at 19:59
  • is the entire shellcode copied to the buffer that is overflowed? Or is what's copied only enough data to overwrite the buffer, and the rest is reached another way?
    – peter ferrie
    Commented Jun 20, 2015 at 21:21
  • First one, the entire payload is copied to the buffer
    – Mark Hoglund
    Commented Jun 20, 2015 at 21:23

1 Answer 1

Reset to default
1

As you know the strcpy function has a loop that ends on 0x00 byte and it has no exception. So:

  1. Re-check your bug trigger situation, are you sure it's strcpy? isn't it memcpy, memmove or even wcs...?
  2. Check strcpy args, sometimes your target buffer is not the destination of strcpy it may be the source. and as mentioned in comments your assumption about null byte limitation is wrong.
  3. Check your shell code in your exploit source. not in memory. it could be decoded at run-time.

if none of above is right then check the algorithm, it is possible that the program extends the copy.

Improve this answer
2
  • 1
    ...and please tell us your findings
    – peter ferrie
    Commented Jun 23, 2015 at 16:07
  • Hey, sorry for the late reply! I don't have access to the source code. I downloaded the program from code.securitytube.net/Server-Strcpy.exe. Owner said it uses strcpy. I saw a snippet that said strcpy(buffer, input) in the video. I am using a metasploit generated shellcode, if that helps.
    – Mark Hoglund
    Commented Jul 1, 2015 at 16:44

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.