Doing my first ever BOF and I need a nudge. I’ve found the offset for the EIP. My strategy at this point is to overwrite it with the address of the flag function. The problem is that I can overwrite it with stuff like “AAAA” or “BBCC” but as soon as I try to put in the correct hex for the return address, I get garbage in the EIP. I suspect some kind of “bad character” issue, but
maybe I’m totally going down the wrong path. Am I off base here? Thanks for any help. I’m not very good at asking for it.
I have the same problem here, I was looking for help
You can send them via echo -e "...\xFF" and you’ll run jump to the function, I can jump to the specific funciton and run it but only locally. I’m having trouble sending the payload to the server
Don’t forget to take into account the little-endianness of the architecture when writing your payload. If what you have in the EIP is backwards then that’s the problem.
Yah. It’s always the endianness that gets me on those too. Even when I remember it, i will do something silly like reverse the whole thing. Hehe.
I’m essentially having the same issue, unfortunately, this type of attack is new to me so sorry if I sound like a muppet. I’ve found the offset and the address of the flag function. I’ve used python pwn to convert the address to the p32 value and as I increase the offset I can see it referenced then on the last offset increase suddenly the value changes completely. Bit baffled.