Skip to content
Advertisement

Different results when running C program from Python Subprocess vs in Bash

I’ve got a string/argument that I’d like to pass to a C program. It’s a string format exploit.

'xb2x332x08%13x%2$n' 

However, there seems to be different behaviours exhibited if I call the C program from Python by doing

subprocess.Popen(["env", "-i", "./practice", 'xb2x332x08%13x%2$n'])

versus

./practice 'xb2x332x08%13x%2$n'

The difference is that the string exploit attack works as expected when calling the script via subprocess, but not when I call it through the CLI.

What might the reason be? Thanks.

Advertisement

Answer

Bash manpage says:

Words of the form $’string’ are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard. Backslash escape sequences, if present, are decoded as follows: [snipped]
xHH the eight-bit character whose value is the hexadecimal value HH (one or two hex digits)

Then would you please try:

./practice $'xb2x332x08%13x%2$n'
User contributions licensed under: CC BY-SA
4 People found this is helpful
Advertisement