0

So I was attempting a CTF recently, and I needed to input some non-printing chars into stdin in order to overwrite a stack variable. I decided to pipe the output from a printf command into the program, and this worked to overwrite the variable, but had an unexpected side effect of killing the program whenever it hit a blocking call and was out of input.

The shortest C program I could write to demonstrate this issue is

#include <stdlib.h>

main()
{
    system("/bin/sh");
}

running it normally produces the expected result

~$ ./a.out
> ls
. .. Documents etc etc
> _

but if I use a pipe on this program, I get

~$ echo "ls" | ./a.out
. .. Documents etc etc
~$

See the difference? If I use a pipe, system("/bin/sh") returns after it runs out of input and the program would normally block / wait for input. Maybe the pipe is sending an EOF causing system() to return? How can I make it not do this (act as though I typed it in normally) by changing the way I am using bash? (I cannot change the program in a CTF). Is there a better way to input non-printing chars?

mPrime
  • 1
  • There's no such thing as "sending an EOF". Does `(echo ls; cat) | ./a.out` do what you want? – Joseph Sible-Reinstate Monica Apr 22 '21 at 23:10
  • 1
    The write-end of pipes are closed when the left-hand side of it is finished. – Some programmer dude Apr 22 '21 at 23:12
  • @joseph-sible-reinstate-monica Yeah good point, my wording there was totally confusing, I was trying to say that maybe it was appending an end of transmission character to the end of the input. And yes, that does do what I want, thank you! – mPrime Apr 22 '21 at 23:16
  • An end of transmission character wouldn't cause what you were seeing either. There's nothing you can send that does what you're thinking. – Joseph Sible-Reinstate Monica Apr 22 '21 at 23:18
  • The first way you execute it `./a.out` starts a new interactive shell which you can use until you exit. In the second you're just telling it to execute `ls` and then exit. It's working as expected. – bmcculley Apr 23 '21 at 02:35
  • The pipe links the input of your program to the output of the `echo`. When the `echo` finishes it exits. The OS terminates the input stream, which effectively ends your session. – Paul Hodges Apr 23 '21 at 14:09

0 Answers0