I’ve got a string/argument that I’d like to pass to a C program. It’s a string format exploit.
'xb2x332x08%13x%2$n'
However, there seems to be different behaviours exhibited if I call the C program from Python by doing
subprocess.Popen(["env", "-i", "./practice", 'xb2x332x08%13x%2$n'])
versus
./practice 'xb2x332x08%13x%2$n'
The difference is that the string exploit attack works as expected when calling the script via subprocess, but not when I call it through the CLI.
What might the reason be? Thanks.
Advertisement
Answer
Bash manpage says:
Words of the form $’string’ are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard. Backslash escape sequences, if present, are decoded as follows: [snipped]
xHH the eight-bit character whose value is the hexadecimal value HH (one or two hex digits)
Then would you please try:
./practice $'xb2x332x08%13x%2$n'