我正在尝试重现缓冲区溢出。我试图传入的地址中有两个空的十六进制字符(即 0x00547e00)。后面还有 4 个字节(即 0x11111111 和 0x22222222)。如果我使用 gdb 传递这些,它会在写入我想要的内存时跳过空字符(即 1111547e 22221111 2222####)。是否有一个我可以传入的字符不是空字符但不影响我的地址?
我想到的一个解决方案是找到一些已经清零的内存,让第一个地址指向它,然后用垃圾覆盖,直到到达那个清零的内存,我在那里覆盖它。但是,这仅在我有 2 个字节的内存时才有效,并且我试图通过 6 个字节。
If you are trying to avoid zeros in shellcode, there are ways to do that which pretty much every shellcode-writing tutorial covers.
Now the final part with overwriting the address will be tricky, depending on what kind of buffer overflow is used.
In a memcpy-based one, \0 chars are no problem, however (and your question is vague enough that I'll have to write this) you most likely cannot enter these to stdin with a keyboard / on the commandline, so you'll need to input the data from some other source, e.g. pipe it: ./buffercrash < exploit.txt
With strcpy, you cannot have \0 chars, except for the last one, since it will also terminate the destination string, which means that you can perfectly have the most significant byte set to \0. Now your problem remains the least significant byte: If it is a stack-address, you may be lucky by adding some additional environment variables, so that your target address changes accordingly. If it's just the address for shellcode, you can just add +1 to the address and insert another filling character in front of your shell code.
So it all depends on the context and what exactly you are trying to do, however once you have a buffer-overflow vulnerability, \0 may stop straightforward approaches, but with some creativity, there'll most likely be something that can be achieved even without \0 chars.