Can’t overwrite EIP in bufferoverflow example
I am trying to make a simple buffer-overflow exploit on an example program to understand binary exploitation a bit better. The goal is to simple write shellcode on the stack and execute it. However, despite all the resources online, I keep running into weird problems that I can't figure out a solution for. I hope someone can clarify a couple of things for me :)
The following program is the target application:
#include <string.h>
#include <stdio.h>
int main (int argc, char** argv)
{
char buffer[8];
if (argv[1] == NULL) return 0;
strcpy(buffer, argv[1]);
printf("Text: %s\n", buffer);
return 0;
}
To keep things simple, I disable a couple of protection mechanisms.
The binary is compiled like so: gcc app.c -o app -z execstack -fno-stack-protector -m32.
Also, ASLR is disabled for now: (/proc/sys/kernel/randomize_va_space == 0).
Furthermore, I am using gdb-peta, because from what I've heard its a bit nicer to work with, when doing binary exploitation.
Now, I am currently experiencing the following problem:
I can't seem to overwrite EIP, no matter how long the input string is:
Note how EIP always points to the return address of main? Why, it should be overwritten. Increasing the amount of A doesn't change anything. Also, even more weird is the fact ESP is never completly filled with A's either, it always ends up as 0x4141413d ('=AAA')
Since I can't seem to overwrite EIP correctly, I can't really continue.
Does anyone know why that happens and what I can do about that?
