Iíve got a strange assignment from a class in which Iím supposed to initiate a buffer overrun to see how easy it is for someone to take advantage of the gets() function.
The basic program that Iím given is this:
I understand that if I write more than 20 characters and the command prompt I will start writing in to the area in memory where ďamountĒ is located so I can change it to anything that I want it to be. We are supposed to set the ďamountĒ to 1,000,000 which Iíve figured out is Ė 0x00 0x24 0x74 0x49 when arranged in memory. I know that I can hold down alt and input the decimal equivalent of those numbers to overwrite memory but I canít get a NULL to work for my first byte.
typedef struct student
int _tmain(int argc, _TCHAR* argv)
person p; // Create a person account (on the stack)
p.amount = 10.0; // set amount
printf("enter name: ");
gets(p.name); // get name (blindly ignoring buffer overrun)
printf("Here is a $%6.2f gift for %s\n", p.amount, p.name);
getch(); // Wait for user to type <Enter> before quitting
In a perfect world I would use this NULL after I enter my name then put in whatever I want up until I get to the amount area in memory and write in alt 000, alt 036, alt 116, alt 073. Unfortunately I canít get alt 000 to register and Iím wondering if there is another way to put a NULL bit in to the stream at a command prompt.
Does anyone have any ideas?
I might be wrong on what I need to enter as now looking in my debugger I see a different hex representation for 1,000,000 - 0x00 0x50 0xc3 0x47