Login/Register
How do I provide stdin inputs from command line?
Asked Answered
Solved csecuritypenetration-testingstack-smash
J

4

5

I am trying to perform a buffer overflow attack on a program for a class assignment. Both the attack program as well as the vulnerable programme is written by me.

The vulnerable code uses scanf to read data from stdin.

./vulnerable < malicious_payload_file.txt works fine. more malicious_payload | ./vulnerable and echo JUNK_JUNK_JUNK_JUNK | ./vulnerable also works as expected.

However, i would like to use the attack programme to keep supplying incrementally longer payloads till the programme crashes. So, I need to dynamically generate larger payloads of junks. I am using system ("./vulnerable"); to repeatedly call and test for an abnormal exit.

How do I specify such a payload?

Is there a way to run ./vulnerable < malicious_payload_binary or in some manner such that I do not have to put the malicious payload in a file, but can specify it in the command line?

Jocundity answered 27/7, 2011 at 15:48 Comment(4)
I don't understand your question very well. The answer to the question in the last line could be: echo "your payload goes here" | ./vulnerablebut you already know that. So, what exactly is the question?Odds
@Susam Pal - I was looking for a more efficient approach than spawning a process for echo every time. each time I run system there shall be a bash process, echo process and vulnerable process.Jocundity
As, I have mentioned in one of my comments below, echo is usually a shell-builtin. If so, it wouldn't spawn a new process. Run the command type echo to find out whether it is a shell-builtin or not.Odds
You seem confused about the difference between specify on the command line and supply on standard input. Also, you are worrying about efficiency where it's really not important.Sitton
B
2

Rather than trying to use the command line, you might try using popen instead of system:

FILE *fp = popen("./vulnerable", "w");
// write stuff to fp -- it goes to vulnerable's stdin
int exitcode = pclose(fp);

The exitcode you get from pclose is the same as what you would have got from system, had you used another process to create the data and piped it via the shell to ./vulnerable

Brazilin answered 27/7, 2011 at 16:46 Comment(0)
O
9

How about this?

echo "your payload goes here" | ./vulnerable

You can replace the echo command with any command that generates the input to ./vulnerable you want. One such example is a constant flow of junk as input, you can do this:

cat /dev/urandom | ./vulnerable
Odds answered 27/7, 2011 at 15:53 Comment(4)
Do I not need to worry about the speed of execution if I pipe and spawn 2 processes?Jocundity
I have no idea! I did not do it.Jocundity
Thank you for attempting an answer. I tried which echo and got a `/usr/bin/echo'. Makes me doubt if echo is built into the shell. I know it is built into the command.com shell of DOS.Jocundity
Don't try which echo. Try type echo.Odds
B
2

Rather than trying to use the command line, you might try using popen instead of system:

FILE *fp = popen("./vulnerable", "w");
// write stuff to fp -- it goes to vulnerable's stdin
int exitcode = pclose(fp);

The exitcode you get from pclose is the same as what you would have got from system, had you used another process to create the data and piped it via the shell to ./vulnerable

Brazilin answered 27/7, 2011 at 16:46 Comment(0)
V
0

Try piping instead of redirecting:

./malicious_payload_binary | ./vulnerable
Vitek answered 27/7, 2011 at 15:54 Comment(3)
This would say bash: malicious_payload_binary: command not foundJocundity
Maybe ./malicious_payload_binary | ./vulnerableAntagonistic
@Grzegorz Szpetkowski - malicious_payload_binary would then have to be an binary file with execute permissions - which means an extra process. I am trying to avoid files totally and send payload via command line only - is this even possible?Jocundity
C
0

EDIT: I think I finally understand your question (maybe), you want to read command line arguments? Something like

#include <stdio.h>

int main(int argc, char *argv[])
{
    printf("the name of this program is %s\n", argv[0]);
    printf("%d command line arguments were provided\n", argc);
    printf("the input file is %s\n", argv[1]);
    // could do something like: fopen(argv[1]) here
    return 0;
}

If you compile it to a binary named stdintest and run it like so:

./stdintest somefile.txt

it will output:

the name of this program is ./stdintest
2 command line arguments were provided
the input file is somefile.txt

OLD:

As dolphy mentioned, just write to stdout in malicious_payload_binary, read from stdin in vulnerable, and connect them with a pipe: ./malicious_payload_binary | ./vulnerable

Caylacaylor answered 27/7, 2011 at 15:56 Comment(3)
I'm guessing I got downvoted because this isn't "specifying the payload at the command line", but it is the answer to the core (poorly worded) question: "I need to dynamically generate larger payloads of junks".Caylacaylor
I did not downvote anyone. I do understand that I was not able to express the question well and got too wordy. But the essence is in the title - 'how does one redirect stdin to take data specified in command line.'Jocundity
You've still got my +1, and even more so now.Vitek

© 2022 - 2024 — McMap. All rights reserved.