On Tue, 12 Aug 2003, Steven Micallef wrote: > I'm trying to write a buffer overflow for an application that prompts > the user for input. Upon supplying the (over)lengthy input, the app > segfaults. My question is, what method would I use in my exploit to > supply the overflow string? I think using popen() and then fprintf() is > the best way to do this, but I'm new to this, so I was hoping for some > suggestions. You didn't mention the operating system, or the kind of interaction the application requires. If it runs in a dumb terminal mode, you can indeed use pipes - and you usually don't even have to use popen(), you can rely on pipe support of your shell ('exploit | application') on systems that support this. Or, better yet, you don't need to code an exploit at all, just put a shellcode in a file, then run 'buggy_app <shellcode'. If you mean *nix, chances are, the application uses certain more advanced terminal features and will refuse to run with stdin not pointing to a pseudo-terminal (su, sudo, passwd, screen and many other applications come to mind). In this case, you need a way to put characters into its input queue, which is quite OS-dependent and often poorly documented. On Linux, you can do it with TIOCSTI ioctl. If the application runs under X11 (or Windows or what not), it gets even more fuzzy, you need to send the right type of messages to the right window, some more coding. So, you probably need to give us more data to get more specific answers. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-08-12 18:41 --
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 11:20:22 PDT