LinkBack URL
About LinkBacks
I’ve got a strange assignment from a class in which I’m supposed to initiate a buffer overrun to see how easy it is for someone to take advantage of the gets() function.
The basic program that I’m given is this:
I understand that if I write more than 20 characters and the command prompt I will start writing in to the area in memory where “amount” is located so I can change it to anything that I want it to be. We are supposed to set the “amount” to 1,000,000 which I’ve figured out is – 0x00 0x24 0x74 0x49 when arranged in memory. I know that I can hold down alt and input the decimal equivalent of those numbers to overwrite memory but I can’t get a NULL to work for my first byte.Code:typedef struct student { char name[20]; float amount; int other_stuff; } person; int _tmain(int argc, _TCHAR* argv[]) { person p; // Create a person account (on the stack) p.amount = 10.0; // set amount printf("enter name: "); gets(p.name); // get name (blindly ignoring buffer overrun) printf("Here is a $%6.2f gift for %s\n", p.amount, p.name); getch(); // Wait for user to type <Enter> before quitting return 0; }
In a perfect world I would use this NULL after I enter my name then put in whatever I want up until I get to the amount area in memory and write in alt 000, alt 036, alt 116, alt 073. Unfortunately I can’t get alt 000 to register and I’m wondering if there is another way to put a NULL bit in to the stream at a command prompt.
Does anyone have any ideas?
***EDIT***
I might be wrong on what I need to enter as now looking in my debugger I see a different hex representation for 1,000,000 - 0x00 0x50 0xc3 0x47
