1

I got a small question.

Say I have the following code inside a console application :

printf("Enter name: ");

scanf("%s", &name);

I would like to exploit this vulnerability and enter the following shell code (MessageboxA):

6A 00 68 04 21 2F 01 68 0C 21 2F 01 6A 00 FF 15 B0 20 2F 01

How can I enter my shell code (Hex values) through the console ?

If I enter the input as is, it treats the numbers as chars and not as hex values.

Thanks a lot.

Anish Gupta
  • 2,218
  • 2
  • 23
  • 37
Michael
  • 796
  • 11
  • 27

1 Answers1

3

You could use as stdin a file with the desired content or use the echo command.

Suppose your shell code is AA BB CC DD (obviously this is not a valid shellcode):

echo -e "\xAA\xBB\xCC\xDD" | prog
MirkoBanchi
  • 2,173
  • 5
  • 35
  • 52
  • I do not understand, can you explain and give an example please ? I cannot change the source code .. – Michael May 19 '12 at 12:53
  • 1
    Create a file `input.txt` with some Hex Editor, containing these characters. Then run the console application this way: `program.exe < input.txt` – K.Steff May 19 '12 at 12:57
  • Understood, what about the echo command ? How can it help me ? – Michael May 19 '12 at 13:01
  • 1
    However i see that your shellcode cointains null bytes...scanf will copy until the first null byte so you have to produce a shell code without null bytes. – MirkoBanchi May 19 '12 at 13:03
  • @MirkoBanchi: Since he mentioned `MessageBoxA`, I'm guessing this is about Windows, where that `echo` won't work. – DCoder May 19 '12 at 13:14
  • I tried copy pasting your echo line, and unfortunately the scanf only took the word "echo" as input .. So it still does not work. I understand this is very intuitive for you, but i have never used the echo command and would like an explanation what am I doing wrong, Thanks a lot ! – Michael May 19 '12 at 13:15
  • Unfortunately i don't know Windows very well...however maybe [this](http://stackoverflow.com/questions/4495576/echo-e-equivalent-in-windows) could be useful. – MirkoBanchi May 19 '12 at 13:27