Payload from command line not overwriting the stack

Question

I'm sorry that this is unusually long, I just want the contributors to see what I have tried before posting.

My code:

     #include<stdio.h>
        #include<string.h>
        #include<stdlib.h>

        void nevercalled(){
            printf("nevercalled");
        }

        void gadget1(char payload[]){
            char buff[16];
            strcpy(buff, payload);
        }

    int main(int argc, char** argv){
        gadget1(argv[1]);
        return 0;
}

When I passed this command line argument:AAAABBBBCCCCDDDD\x19\x0c\x00\x60 and viewed the first 20words, I got:

0x603ffeb0: 0x41414141 0x42424242 0x43434343 0x44444444

0x603ffec0: 0x3931785c 0x6330785c 0x3030785c 0x3036785c

0x603ffed0: 0x603fff00 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffee0: 0x60000b9c 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffef0: 0x00000002 0x603fff00 0xe8e8e8e8 0xe8e8e8e8

Instead of something like this:

0x603ffeb0: 0x41414141 0x42424242 0x43434343 0x44444444

0x603ffec0: 0x60000c19 0x6330785c 0x3030785c 0x3036785c

0x603ffed0: 0x603fff00 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffee0: 0x60000b9c 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffef0: 0x00000002 0x603fff00 0xe8e8e8e8 0xe8e8e8e8

I figured the payload which is stored in argv[1] is treated as a single string in the code above instead as an array characters. I confirmed that it is represented as "AAAABBBBCCCCDDDD\\x19\\x0c\\x00\\x60" which is not useful to me as it will reconvert the address to hexadecimal!

Just to be sure, I decided to pass the argument directly to confirm this (Worked)

int main(int argc, char** argv){
    gadget1("AAAABBBBCCCCDDDD\x19\x0c\x00\x60");
    return 0;
}

0x603ffeb0: 0x41414141 0x42424242 0x43434343 0x44444444

0x603ffec0: 0x60000c19 0x60000b04 0xe8e8e8e8 0xe8e8e8e8

0x603ffed0: 0x60000804 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffee0: 0x60000bb8 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffef0: 0x00000002 0x603fff00 0xe8e8e8e8 0xe8e8e8e8

In command line format:(the headache 0x3931785c returns)

int main(int argc, char** argv){
    gadget1("AAAABBBBCCCCDDDD\\x19\\x0c\\x00\\x60");
    return 0;
}

0x603ffeb0: 0x41414141 0x42424242 0x43434343 0x44444444

0x603ffec0: 0x3931785c 0x6330785c 0x3030785c 0x3036785c

0x603ffed0: 0x60000800 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffee0: 0x60000bc4 0xe8e8e8e8 0xe8e8e8e8 0xe8e8e8e8

0x603ffef0: 0x00000002 0x603fff00 0xe8e8e8e8 0xe8e8e8e8

How do I prevent the payload in argv[1] from being processed as

AAAABBBBCCCCDDDD\\x19\\x0c\\x00\\x60

?

How do you pass command line argument? `I passed this command line argument` How? — KamilCuk, Mar 04 '20 at 14:30
How exactly? What did you typed "through the terminal"? Did you typed anything? Do you have a shell? If you do, what shell do you have? Do you have an operating system on that "xtensa"? A linux? If yes, what/which linux? `and viewed the first 20words` How did you view the first 20 words? What did you use? I ask, because you showed your result, you did not show how to reproduce what you have. Let's imagine I have an xtensa myself. What do I have to do to get exactly the same result as you do? — KamilCuk, Mar 04 '20 at 14:31
For example, does the actual command-line argument contain the literal characters '\', 'x', '1', '9', or do you mean that to be a representation of a *single* character with value 19(hex)? — John Bollinger, Mar 04 '20 at 14:34
@JohnBollinger Yes, the the actual argument is AAAABBBBCCCCDDDD\x19\x0c\x00\x60. The problem is that I don't know why this part "\x19\x0c\x00\x60" (already in hex) is being reconverted to hex as this part "AAAABBBBCCCCDDDD". — dbayoxy, Mar 04 '20 at 14:51
@KamilCuk. I am using Xtensa emulator on Windows which uses xcc to compile by default. Similar to ARM, you can check the first 20 words by x/20xw $sp. — dbayoxy, Mar 04 '20 at 14:56
0x3931785c is literally the characters, \ (backslash), x (ecks), 1 (one), 9 (nine). However you are passing these arguments, you are not giving the program the character 0x19, you are giving it backslash x 1 9 instead — user253751, Mar 04 '20 at 14:59
@user253751. Thanks for pointing this out, my aim is to store \x19\x0c\x00\x60 (little-endian) as 0x60000c19 using 4bytes only! — dbayoxy, Mar 04 '20 at 15:06
You need to pass those characters then. `printf` can help, as in (I think) `"$(printf '\x19\x0c')"` *however* 0x00 ends a C string and strcpy will stop copying at that point. You cannot have a 0x00. — user253751, Mar 04 '20 at 15:07
@user253751. Please do you have an explanation as to why \x19 is read/stored as separate four characters "\" "x" "1" "9" when it should be read as a byte? — dbayoxy, Mar 04 '20 at 17:06
Because it's not being parsed as such. You probably will need to manually parse that yourself if you REALLY want to be putting it in through the command line. Either that or copy/paste the ascii text when doing the command line request. Note that your "AAAA" etc isnt doing the hex (0x0A/line feed) equivalent but the ASCII (0x41/'A') equivalent. A more fun thing will happen when you try to input that null character. It'll just stop reading. I'd rethink entering this as a string over a command line. — yhyrcanus, Mar 04 '20 at 17:19
@user253751 The address size is 4bytes and I think each \xnn should be a byte, so the four \xnn should represent one address. The "\" "x" "1" "9 means each of them has to be converted to hex rather than just reading \x19. — dbayoxy, Mar 04 '20 at 19:01
@dbayoxy, multiple people are trying to tell you that your expectation is wrong. The four-character sequence "\" "x" "1" "9" appearing on a shell command line *does not* (generally) represent a single byte. Nor does C interpret such a sequence appearing in a string at runtime as a single byte. The character escape sequences recognized by C are recognized only when they appear in appropriate contexts within C **source code**. — John Bollinger, Mar 04 '20 at 19:10
As a secondary matter, you are also going to have trouble with the null byte you are trying to pass. The shell will probably not handle that as you want, and even if it did, the C code you've presented definitely wouldn't handle it as you want: `strcpy` would interpret it as a string terminator. — John Bollinger, Mar 04 '20 at 19:17
@dbayoxy You press the backslash key, you get a backslash. You press the x key, you get an x. You press the 1 key, you get a 1. You press the 9 key, you get a 9. Why do you expect anything different? — user253751, Mar 05 '20 at 11:31

Payload from command line not overwriting the stack

0 Answers0