current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote -2 down vote favorite

Using a buffer overflow, I have been able to override return addresses. But the problem is that Windows addresses contain zeros at the beginning (e.g. 0x00401020). As a result, the objdump of any C binary will contain zero's. This makes it very difficult to execute shellcode inside a buffer as a shellcode cannot contain zero's for it to work.

Has anyone done this sort of thing? It does not matter even if the exploit is printing hello-world: is it possible?

share|improve this question
    
Isn't Objdump a *nix utility? What happens if you used a Windows-specific debugger? –  schroeder May 28 '14 at 15:28
    
It might there on *nix as well but I have used it on windows as well. The issue is not related to debugger whether it is Windbg or Immunity Debugger. –  vivek May 28 '14 at 16:36

1 Answer 1

up vote -1 down vote

You should be able to remove the leading zeros, as 0x00401020 = 0x401020.

share|improve this answer
    
nopes , this does not work. the shell code fails if you simply remove zero's. –  vivek May 28 '14 at 14:05
    
Does it fail because of the missing zeros, or does it fail because removing the zeros change the size of the shellcode? –  Corneliux May 28 '14 at 14:21
    
Yes the size of shellcode changes as well as the 00's are replaced by next two digits/characters. This changes the shell code and renders it useless. –  vivek May 28 '14 at 16:44

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.