Is it possible to encode bytes in an buffer overflow exploit that bypass string functions?

Null bytes in your return address are hard to beat. Since its an address as opposed to code you cannot use an encoding stub. There are however a few potential ways to get around this:

1)Find the perfect address. Sometimes the application will copy code onto the stack or other areas in memory. If you're lucky you can find a static location that contain a suitable op code such as jmp esp.

2) Check for Unicode support, multi byte wide Unicode will allow you include null bytes in your payload.

3) It may be possible to spray the heap and make a predetermined address increasingly likely to contain your payload. This predetermined address can be chosen to not contain null bytes.

Good luck


When you are exploiting a buffer overflow, your attack is possible because of an underlying misschecking on the asm code. In your case, strcpy use is in fault so you have some limitations. Indeed, strcpy is a string function.

As you said, you can't have \x00 byte. You can find other cases (not relying on stcpy) when \x00 can be allowed but not in this case. Sometimes some additional "treatment" is done before calling strcpy and you will have limited bytes as \x20 in the HTTP protocol.

You will need to work on the exploit to overwrite the return address and execute your payload without using those caracters. You may be able to succeed using a Nop-slide before your payload; this will allow you to shift your shellcode address.

You can also use Return to lib C, or other ROP technique.