How to input a string to C with null character in it via gets?

Question

I am trying to demonstrate a buffer overflow, and I wish to overwrite a local varible with gets. I have compiled my program using gcc with -fno-stack-protector, so I know that the buffer that gets uses is right next to another local variable I am trying to overwrite. My goal is to overflow the buffer and overwrite the adjacent variable so that both of them have the same string. However, I noticed that I need to be able to input the '\0' character so that strcmp will actually show that both are equal. How can I input '\0'?

score 5 · Accepted Answer · edited Mar 19 '18 at 02:06

5

On many keyboards, you can enter a NUL character with ctrl@ (might be ctrlshift2 or ctrlalt2).

Barring that, you can create a file with a NUL byte and redirect that as stdin.

edited Mar 19 '18 at 02:06

mnistic

10,866
2
19
33

answered Mar 19 '18 at 00:35

Chris Dodd

119,907
13
134
226

Thank you, turned out to be `ctrl`+`alt`+`2`. – firedrillsergeant Mar 19 '18 at 00:42

Luis Colorado · Answer 2 · 2018-03-22T07:43:25.913

0

I'm not sure you'll be able to input a '\0' into a gets(3) or fgets(3) function, as the function checks for newline terminators and probably has some way of protecting you from inputing a nul terminator to a C string (which is assumed to terminate on nul character).

Probably, what you are trying to demonstrate is something implementation dependant (so, undefined behaviour), and will work differently for different implementations.

If you want to correctly overwrite a local variable with only one input statement, just use read(2), which allows you to enter nulls and any other possible character value.

edited Mar 22 '18 at 07:43

answered Mar 20 '18 at 09:31

Luis Colorado

10,974
1
16
31

I actually managed to do it, and I think you are partially correct. I don't think EOF and '\0' are the [same](https://stackoverflow.com/questions/4705968/what-is-value-of-eof-and-0-in-c), so `gets` probably does stop after seeing newline, but doesn't stop with null-termination character for a string. My original goal was to overwrite a local variable using buffer overflow vulnerability of `gets`, so I can't use `write`. – firedrillsergeant Mar 22 '18 at 05:57
I never meant `'\0'` and `'\n'` to be the same... but `'\0'` is C's string terminator, so in case of receiving through the input stream, it deserves special treatment (this is what I said), not _the same treatment as `'\n'`._ because it can make client program to assume input ends there, and doesn't. Should I have to implement, I'll ignore it, or change to a special char sequence. And `EOF` is not a character, but a condition. You cannot receive `EOF` as it is not a character. You normally detect `EOF` when no more characters get in (you receive `0` as return from `read(2)` syscall) – Luis Colorado Mar 22 '18 at 07:38
... but that's another story. – Luis Colorado Mar 22 '18 at 07:42

How to input a string to C with null character in it via gets?

2 Answers2