Limited control over EIP

Question

I am trying out some simple buffer overflows and i have control over my EIP but it seems to be limited to a strict set of characters.

For example i have an python script that does the following

buff = "A" * 128
buff += struct.pack("<L", 0x42424242)
sys.stdout.write(buff)

This correctly overwrites my EIP to : 0x42424242 I can change the value of 0x42424242 to 0x42434445 for example and it will still work.

But as soon as i enter reall an address like : 0x804843b my EIP will change to an invalid address like 0x000000

Basicly every address i enter here instead of the 0x42424242 that does not resolve to an alphabetical character i get an invalid EIP address:

Works:

buff += struct.pack("<L", 0x42424242)
buff += struct.pack("<L", 0x45454545) 
buff += struct.pack("<L", 0x41424344)

also all of these above will result into alphabetical characters when printed like AAAA EEEE ABCD

does not work:

buff += struct.pack("<L", 0x804843b)

when printed this also shows we characters like: ;�

Answer 1

struct.pack("<L", <some_numeric_value>) returns the numeric value in the little endian format. Little endian format of 0x41414141 is \x41\x41\x41\x41. But when it prints this out in a console or terminal, each hex value is converted to it's corresponding ASCII character. That is, \x41 is converted to 'A' and so on. So

print struct.pack("<L",0x41414141)

prints 'AAAA'.

The little Endian format of 0x804843b is \x3b\x84\x04\x08. 0x3b is the ASCII value of ';'. 0x84, 0x04 and 0x08 are non printable characters. Thus

print struct.pack("<L", 0x804843b)

prints out ;� where � is standing for the non-printable characters.