How do I provide stdin inputs from command line?

Question

I am trying to perform a buffer overflow attack on a program for a class assignment. Both the attack program as well as the vulnerable programme is written by me.

The vulnerable code uses scanf to read data from stdin.

./vulnerable < malicious_payload_file.txt works fine. more malicious_payload | ./vulnerable and echo JUNK_JUNK_JUNK_JUNK | ./vulnerable also works as expected.

However, i would like to use the attack programme to keep supplying incrementally longer payloads till the programme crashes. So, I need to dynamically generate larger payloads of junks. I am using system ("./vulnerable"); to repeatedly call and test for an abnormal exit.

How do I specify such a payload?

Is there a way to run ./vulnerable < malicious_payload_binary or in some manner such that I do not have to put the malicious payload in a file, but can specify it in the command line?

I don't understand your question very well. The answer to the question in the last line could be: `echo "your payload goes here" | ./vulnerable`but you already know that. So, what exactly is the question? — Susam Pal, Jul 27 '11 at 15:55
@Susam Pal - I was looking for a more efficient approach than spawning a process for echo every time. each time I run `system` there shall be a bash process, echo process and vulnerable process. — Lord Loh., Jul 27 '11 at 16:00
As, I have mentioned in one of my comments below, `echo` is usually a shell-builtin. If so, it wouldn't spawn a new process. Run the command `type echo` to find out whether it is a shell-builtin or not. — Susam Pal, Jul 27 '11 at 16:07
You seem confused about the difference between *specify on the command line* and *supply on standard input*. Also, you are worrying about efficiency where it's really not important. — mlp, Jul 28 '11 at 02:11

Susam Pal · Answer 1 · 2011-07-27T16:02:00.670

9

How about this?

echo "your payload goes here" | ./vulnerable

You can replace the echo command with any command that generates the input to ./vulnerable you want. One such example is a constant flow of junk as input, you can do this:

cat /dev/urandom | ./vulnerable

edited Jul 27 '11 at 16:02

answered Jul 27 '11 at 15:53

Susam Pal

32,765
12
81
103

Do I not need to worry about the speed of execution if I pipe and spawn 2 processes? – Lord Loh. Jul 27 '11 at 15:56
I have no idea! I did not do it. – Lord Loh. Jul 27 '11 at 16:01
Thank you for attempting an answer. I tried `which echo` and got a `/usr/bin/echo'. Makes me doubt if echo is built into the shell. I know it is built into the command.com shell of DOS. – Lord Loh. Jul 27 '11 at 16:10
1

Don't try `which echo`. Try `type echo`. – Susam Pal Jul 27 '11 at 16:13

score 2 · Accepted Answer · answered Jul 27 '11 at 16:46

Rather than trying to use the command line, you might try using popen instead of system:

FILE *fp = popen("./vulnerable", "w");
// write stuff to fp -- it goes to vulnerable's stdin
int exitcode = pclose(fp);

The exitcode you get from pclose is the same as what you would have got from system, had you used another process to create the data and piped it via the shell to ./vulnerable

score 0 · Answer 3 · answered Jul 27 '11 at 15:54

0

Try piping instead of redirecting:

./malicious_payload_binary | ./vulnerable

answered Jul 27 '11 at 15:54

dolphy

6,218
4
24
32

This would say `bash: malicious_payload_binary: command not found` – Lord Loh. Jul 27 '11 at 15:56
Maybe `./malicious_payload_binary | ./vulnerable` – Grzegorz Szpetkowski Jul 27 '11 at 15:56
@Grzegorz Szpetkowski - `malicious_payload_binary` would then have to be an binary file with execute permissions - which means an extra process. I am trying to avoid files totally and send payload via command line only - is this even possible? – Lord Loh. Jul 27 '11 at 16:04

mgalgs · Answer 4 · 2011-07-27T16:24:59.837

0

EDIT: I think I finally understand your question (maybe), you want to read command line arguments? Something like

#include <stdio.h>

int main(int argc, char *argv[])
{
    printf("the name of this program is %s\n", argv[0]);
    printf("%d command line arguments were provided\n", argc);
    printf("the input file is %s\n", argv[1]);
    // could do something like: fopen(argv[1]) here
    return 0;
}

If you compile it to a binary named stdintest and run it like so:

./stdintest somefile.txt

it will output:

the name of this program is ./stdintest
2 command line arguments were provided
the input file is somefile.txt

OLD:

As dolphy mentioned, just write to stdout in malicious_payload_binary, read from stdin in vulnerable, and connect them with a pipe: ./malicious_payload_binary | ./vulnerable

edited Jul 27 '11 at 16:24

answered Jul 27 '11 at 15:56

mgalgs

15,671
11
61
74

I'm guessing I got downvoted because this isn't "specifying the payload at the command line", but it _is_ the answer to the **core** (poorly worded) question: "I need to dynamically generate larger payloads of junks". – mgalgs Jul 27 '11 at 16:00
I did not downvote anyone. I do understand that I was not able to express the question well and got too wordy. But the essence is in the title - 'how does one redirect stdin to take data specified in command line.' – Lord Loh. Jul 27 '11 at 16:07
1

You've still got my +1, and even more so now. – dolphy Jul 27 '11 at 17:28

How do I provide stdin inputs from command line?

4 Answers4