App - System

Hi Everyone!
I got control of rip, but i can’t zero out the rest of the register due to the fact that strings terminate when encountering a NULL character. How should i circumvent this issue?
some info:
0x00000306004006cd this is rip including the return adress and some garbage left.

when i add some null characters to the end of my exploit (to clear the garbage) they get read as string terminators.
Please give me a hint, this drives me crazy!
Thanks in advance!

Hi,

i have currently the same problem.

Ok i found out that when i use my payload in gdb the \x00 are not interpreted by gdb.

But when i launch ./ch35 with my payload directly in the shell, it works and i got a ’killed’ (the next step of the challenge).

I hope it’ll help you.

I have got to the killed stage of the part but have no idea what to do? Can someone help me?

If you get to `killed` this means you are redirecting RIP to a user-controlled location. However, immediately getting this message implies you are not redirecting it to the correct place and are, likely, jumping to something that is not code.

What is the issue with string terminators? Scanf stops on whitespace, so null characters are copied.