0

I am trying to create a C program that send inputs to a file in order to produce an overflow. In my C program I defined the name of the target program and the args and I've used execv :


#define DEST_PROG "./myapp"

//then I defined the input using:
char* argParam[4];
argParam[0] = DEST_PROG;
argParam[1] = "AAAAAAAAAA";
argParam[2] = "BB\xaa\xaa\xaa\xaa";
argParam[3] = NULL;

execv(DEST_PROG, argParam);
return 0;
}

When I invoke execve the program sends the input but I don't get segmentation fault, the ret address does not get overwritten.

From the command line it works fine. .With the following line, which sends the same two inputs the ret address gets overwritten : 0xaaaaaaaa.

./myapp $(python -c 'print "A"*10+ "\t"+"BB\xaa\xaa\xaa\xaa"')

Thank you

Emz
  • 21
  • 4
  • Hi, I've used a separator – Emz Feb 12 '23 at 19:53
  • You need to use more quotes if you want only one argument passed to myapp. `./myapp "$(python ...)"` -- leave out the double quotes and the output from the Python interpreter is subject to word-splitting and glob expansion, and with a default IFS value the tab character will become an argument boundary. – Charles Duffy Feb 12 '23 at 19:57
  • Also, note that _literal_ quotes and _syntactical_ quotes don't substitute for each other. If you mean `argParam[2]` to be `"\"\xaa\xaa\xaa\xaa\""`, those inner quotes are passed as data, which is _not at all_ how a shell would treat them if you put them on a command line without being escaped, or inside a different kind of quotes, or so forth. – Charles Duffy Feb 12 '23 at 19:59
  • A shell command that acts akin to how your Python does might be `./myapp 'AAAAAAAAAA' $'\xaa\xaa\xaa\xaa'` – Charles Duffy Feb 12 '23 at 20:02
  • Or in native C, you'd just want `"\xaa\xaa\xaa\xaa"` -- no additional double quotes. – Charles Duffy Feb 12 '23 at 20:03
  • @DanGetz, it's two arguments if the OP is using a POSIX-compliant shell with a default IFS value (it'll be only one if they're using zsh, or if they redefined IFS to no longer contain the tab character) – Charles Duffy Feb 12 '23 at 20:04
  • Hi the double "" is a typo. I don't understand why I don't get a segmentation fault with the C program, – Emz Feb 12 '23 at 21:08
  • The assignment `argParam[0] = "DEST_PROG"` makes `argParam[0]` point to the actual and literal string `"DEST_PROG"`. Macros are *not* expanded inside string literals. You need `argParam[0] = DEST_PROG` – Some programmer dude Feb 12 '23 at 21:10
  • @Some programmer dude, my bad, I do apologize, that's another typo. – Emz Feb 12 '23 at 21:11
  • And `DEST_PROG []` is not a valid expression. Please [edit] your question to include a proper [mre]. – Some programmer dude Feb 12 '23 at 21:11
  • That's why we need a properly **copy-pasted** [mre]. – Some programmer dude Feb 12 '23 at 21:13
  • Yes, I apologize, I modified it. – Emz Feb 12 '23 at 21:18
  • Piece of advice: Compare `strace -f -e execve -s 4096` output between your working shell script and your broken C program, focusing specifically on the invocation that doesn't work the same way between the two invocation modes. Once you know specifically what's different, that'll let you ask a narrowly focused question if it doesn't make the problem outright obvious on its face. – Charles Duffy Feb 13 '23 at 17:53
  • Hi, I've solved the issue, the code presented works fine, thank you – Emz Feb 14 '23 at 08:37

0 Answers0