10Eyl
buffer overflow in MIPS – jump to address 0x0040xxxx
I'm trying to exploit a buffer overflow vulnerability in MIPS architecture. ASLR is enable, but the binary compiled without PIE (hence loaded always to 0x00400000). However, the vulnerable code uses strcpy, so I cannot overwrite the $ra register with an address that contains null bytes (0x0040xxxx).
Any ideas how to overcome this issue?
Thanks
