1

I am presently using a python script to run a c executable like

os.system("./a.out \"%s\" " %p)

There are many binary instruction available to me (i1,i2,i3.... i10 to be exact). I am generating the permutations of these instructions (of length 1,2,3...10) using itertools in python. The string payload p (in snippet above) is one such permutation. I am measuring the time taken for each permutation as follows:

start = time.clock()
os.system("./a.out \"%s\" " %p)
print time.clock() - start

(This may not be best way to measure time. But that is a subject of another question.)
Now for some permutations I get segmentation fault and the python script proceeds to another permutation. But for some permutations, I get no response (like stuck in a infinite loop)like:

58 60 452 547 583 649 756 777 932 965 
key  Not found
(Nothing happens after this. This is due to bad combination 
 of instructions or bad payload.
I have to press ctrl C to proceed to next permutation)
^C---------------[9 8 ]------------
The gadget seq is [mov,ret xor eax,eax,ret ] and time taken is 
0.000254 (this is the bad permutation of instructions)

(Next permutation.. )

After I press Ctrl + C, python script goes to next permutation. To put it more clearly

perm = itertools.permutations(gadget_list,2) #perm is list of all permutations of 2 instructions
for string in list(perm):
#generate the payload p from string which is one of the permutation
#feed it to c program and measure time
    start = time.clock()
    os.system("./a.out \"%s\" " %p)
    print time.clock() - start

Now for longer length of permutation it becomes tedious to press Ctrl C for every bad payload. Is there any way by which I can automate killing/stopping the C program (which I was doing by pressing Ctrl C) which gets stuck due to bad payload and proceed to next permutation?

shane
  • 449
  • 4
  • 17

2 Answers2

1

to gain more control of the child process, you need to use subprocess module. 

import time
from subprocess import Popen
from shlex import split

proc = Popen(split("./a.out '%s'" % p))

rtime, timeout = 0, 10
while rtime < timeout:
    rc = proc.poll()
    if rc is not None:
       break # process finished.
    time.sleep(1)
    rtime += 1
else:
    proc.kill()
Dyno Fu
  • 8,753
  • 4
  • 39
  • 64
  • So do I replace my os.system() line with the above snippet? Where should I write my start = time.clock and print time.clock()-start? – shane Nov 07 '16 at 09:56
  • '''start''' after Popen line, '''end''' at the bottom – Dyno Fu Nov 07 '16 at 15:32
0

Try rather something like:

os.system("timeout 5 ./a.out \"%s\" " %p)

for killing the process after 5 seconds for instance.

Just open a shell and try:

timeout 2 yes

to see.

Thomas Baruchel
  • 7,236
  • 2
  • 27
  • 46
  • With this solution I don't need to type Ctrl C. But is there any way to know that timeout happened, so that in that particular permutation I can print a message that this payload is bad? – shane Nov 07 '16 at 09:54
  • @shane Yes, the return value should be fine; compare `{ timeout 2 sleep 1; } && echo ok` with `{ timeout 2 sleep 3; } && echo ok` and check that when the timeout is expired, the return value of the `timeout` command is a failure. Thus, try something like `result = os.system("timeout ...")`. See https://docs.python.org/2/library/os.html#os.system "On Unix, the return value is the exit status of the process" – Thomas Baruchel Nov 07 '16 at 11:33
  • I tried k = os.system("timeout 2 sleep 1") and printed k. The value of k was 0. Then I tried k = os.system("timeout 2 sleep 3"). The value of k this time was 31744. So I can use this difference to find when timeout happened? But according to this link: http://unix.stackexchange.com/questions/205076/timeout-function-return-value , I thought the value of k in 2nd case will be 124 rather than 31744. – shane Nov 07 '16 at 12:28
  • I got it. os.system returns 16 bit number. The first 8 bits tell you exit code and last 8 bits tell the signal used by os to close the command. 31744 = 0x7c00. and 7c in decimal is 124. http://stackoverflow.com/questions/6466711/what-is-the-return-value-of-os-system-in-python – shane Nov 07 '16 at 12:59