Passing shellcode from Python as command line argument
I am currently preparing a small presentation about computer security among my fellow students. To get them at least a bit excited I wanted to demonstrate how the wrong use of the strcpy-function inc C can be exploited. This is the code of the vulnerable program:
#include<string.h>
#include<stdio.h>
void function(char *buffer1)
{
char buffer2[5];
strcpy(buffer2,buffer1);
}
int main开发者_JAVA技巧 (int argc, char **argv)
{
function(argv[1]);
return 0;
}
Just using the command line I was able to crash the application by calling it with
test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ
Which gave me the correct 0x4D4C4B4A (MLKJ) for the EIP. It also works if I call it from Python:
os.system("test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ")
However, if I want to put an address instead of JKLM, like this:
os.system("test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")
It gives me following output near the ESP on the Stack:
0028cca0 e4 21 d7 41 42 43 44 45-46 47 48 49 75 c2 9a 21 .!.ABCDEFGHIu..!
0028ccb0 1b 4e 4f 50 51 52 53 54-55 56 57 58 59 5a 00 00 .NOPQRSTUVWXYZ..
Here the 75 c2 9a 21 matters because it is almost what I expected, except the 0x1B, which is the ASCII Character for ESCAPE, is replaced by 0xC2. When I change the order of the address, so it looks like this: \x21\x1b\x75\x9a, the 9a gets replaced by the same mysterious C2. Does anyone know whats the matter with the code? Am I missing some basic point or is it some kind of protection against stack based buffer overflows?
Thanks,
It looks like your text is undergoing UTF-8 conversion. Note that your original bytes:
75 9a 21 1b
^^
are replaced by
75 c2 9a 21 1b
^^^^^
I've highlighted the UTF-8 encoded byte. If you're using Python 3, try:
os.system(b"test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")
The b""
indicates that the data is a byte sequence, and shouldn't be converted from Unicode to the default encoding (which in your case seems to be UTF-8).
精彩评论