-1

This is related to a stack smash attack.

Basically, I am trying to smash the stack by giving a program a particular input. The program takes in a user input like this, using getchar:

for (i = 0; (c = getchar()) != '\n'; i++) buf[i] = c;

I want to overwrite memory to become 0x000000a1. Unfortunately, 0xa1 is not an ascii character, so I cannot just input something like ¡ (inverted exclamation) because that ends up giving 0x0000a1c2 in memory. How can I overwrite the value to be just 0x000000a1 without changing how the user input is processed in the program?

umop apisdn
  • 653
  • 9
  • 20
  • Something like `int main() { putchar(0xa1); putchar('\n'); }`? – MikeCAT Oct 20 '19 at 12:56
  • @MikeCAT thanks for the response. to further clarify, I mean I can only provide an input to the program. the program will ask "enter a string" when it is run, and then it reads the input using `getchar`. But I can't find the character corresponding to `0xa1`...so I can't change the program programatically. – umop apisdn Oct 20 '19 at 12:58

2 Answers2

1

You can use bash to inject arbitrary characters:

echo -e '\xA1' | /path/to/program

You can add additional input, put the echo in a loop, etc.

echo -e 'Something\xA1\xA1\xA1' | /path/to/program
dash-o
  • 13,723
  • 1
  • 10
  • 37
1

Your system's information is not provided, but usually the standard input is just a byte stream. It means that you can send arbitrary byte stream, not just valid characters.

For example, if your victim program is ./a.out, you can create a program to emit a payload

#include <stdio.h>

int main(void) {
    putchar(0xa1);
    putchar('\n'); /* to have the victim finish reading input */
    return 0;
}

and compile to, for example, ./b.out and execute using a pipe

$ ./b.out | ./a.out

($ is your terminal's prompt)

MikeCAT
  • 73,922
  • 11
  • 45
  • 70
  • I did not mention this as well, but I can only use a text file at most for the input. Thanks for helping anyway! – umop apisdn Oct 20 '19 at 13:22
  • @umopapisdn `0xa1` stands for `。` in a text file encoded in Shift-JIS. You should be able to use that! – MikeCAT Oct 20 '19 at 13:26
  • As a matter of fact, how did you find this character? When I did a search, I could only find the inverted exclamation mark, which is in fact `0xc2a1` – umop apisdn Oct 20 '19 at 13:27
  • 1
    I entered `A1 0A` to a binary editor (TSXBIN) and opened the file with a text editor (SAKURA Editor). – MikeCAT Oct 20 '19 at 13:29
  • Handy trick...thanks for the help! I'll keep it in mind next time – umop apisdn Oct 20 '19 at 13:32