I am trying to perform a buffer overflow attack on a program for a class assignment. Both the attack program as well as the vulnerable programme is written by m开发者_Python百科e.
The vulnerable code uses scanf
to read data from stdin.
./vulnerable < malicious_payload_file.txt
works fine.
more malicious_payload | ./vulnerable
and echo JUNK_JUNK_JUNK_JUNK | ./vulnerable
also works as expected.
However, i would like to use the attack programme to keep supplying incrementally longer payloads till the programme crashes. So, I need to dynamically generate larger payloads of junks. I am using system ("./vulnerable");
to repeatedly call and test for an abnormal exit.
How do I specify such a payload?
Is there a way to run ./vulnerable < malicious_payload_binary
or in some manner such that I do not have to put the malicious payload in a file, but can specify it in the command line?
How about this?
echo "your payload goes here" | ./vulnerable
You can replace the echo
command with any command that generates the input to ./vulnerable you want. One such example is a constant flow of junk as input, you can do this:
cat /dev/urandom | ./vulnerable
Rather than trying to use the command line, you might try using popen
instead of system
:
FILE *fp = popen("./vulnerable", "w");
// write stuff to fp -- it goes to vulnerable's stdin
int exitcode = pclose(fp);
The exitcode you get from pclose
is the same as what you would have got from system
, had you used another process to create the data and piped it via the shell to ./vulnerable
Try piping instead of redirecting:
./malicious_payload_binary | ./vulnerable
EDIT: I think I finally understand your question (maybe), you want to read command line arguments? Something like
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("the name of this program is %s\n", argv[0]);
printf("%d command line arguments were provided\n", argc);
printf("the input file is %s\n", argv[1]);
// could do something like: fopen(argv[1]) here
return 0;
}
If you compile it to a binary named stdintest
and run it like so:
./stdintest somefile.txt
it will output:
the name of this program is ./stdintest
2 command line arguments were provided
the input file is somefile.txt
OLD:
As dolphy mentioned, just write to stdout in malicious_payload_binary
, read from stdin in vulnerable
, and connect them with a pipe: ./malicious_payload_binary | ./vulnerable
精彩评论