1. 技术文章
  2. How to pass \\x00 as argument to program?

How to pass \\x00 as argument to program?

旧时模样 提交于 2019-11-30 22:27:07

If you check with wc, you'll find that the NUL character is indeed passed:

$ python -c 'print "\x00"' | wc -c
2

To get rid of the newline at the end:

$ python -c 'import sys; sys.stdout.write("\x00")' | wc -c
1

This data is passed to the script, but the problem is that NUL can not be part of a variable value.

To see how, try to pass this to a script:

$ cat test.sh 
#!/usr/bin/env bash
echo ${#1}
$ ./test.sh "$(python -c 'import sys; sys.stdout.write("\x00")')"
0

Gone. But there's a way to save the day - Read from standard input, using either redirection or a pipe:

$ cat test2.sh 
#!/usr/bin/env bash
wc -c
$ ./test2.sh < <(python -c 'import sys; sys.stdout.write("\x00")')
1
$ python -c 'import sys; sys.stdout.write("\x00")' | ./test2.sh
1

Not at all. Unix uses C-style strings for the arguments a command is invoked with, and they are NUL-terminated character sequences.

What you can do is to rewrite your program (or find an invocation variant) to accept the parameter in its standard input. NUL bytes work just fine there and are, in fact, widely used, typically as separators for file names, since they are pretty much the only thing a file name can never contain. See find's -print0 switch and xarg's switch -0 for the arguably most popular examples.

asxalex

the xargs command with --null option can help:

python -c 'print "\x30\x00\x31"' | xargs --null ./program

I tried that, and it worked.

I believe this is because Bash discards null characters.

To test this I used the od command to dump out the parameters in octal format, using the following script:

$ cat script.sh

#!/bin/bash
echo "$@" | od -c

and ran it using:

$ script.sh `python -c 'print "\x01\x00\x00\x00\x9c\xd8\xff\xbf"'`
0000000 001 234 330 377 277  \n
0000006

The null characters are not printed.

To get around this issue pass in a hexdump and then reverse it in your program. Example:

$ cat script.sh

#!/bin/bash
echo "$@" | xxd -r -p | od -c

$ script.sh `python -c 'print "\x01\x00\x00\x00\x9c\xd8\xff\xbf"' | xxd -p`
0000000 001  \0  \0  \0 234 330 377 277  \n
0000011

Now you see that the null characters are printed.

renzor

You can try putting the shellcode in a file and then read it back and pass it to the executable.

something like:

$ cat shellcode.txt
\xb5\x06\x40\x00\x00\x00\x00\x00

$ perl -e ' $a = `cat shellcode.txt`; chomp($a); print $a x 10; '
\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00
\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00
\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00
\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00

use the above perl cmdline as argument to the program

$ ./program $(perl -e ' $a = `cat shellcode.txt`; chomp($a); print $a x 10; ')

You can try this,

main.out `perl -e 'print "xxxxssssdd\x23\x00\xaf"'`

and 

perl -e 'print "xxxxssssdd\x23\x00\xaf"' | wc -c
13

It proves \x00 is passed.

By the way, I find c program surely stip \00 in argv in my test. You can examine the argv such as, 

 x /8sb 0x7fffffffe46a
0x7fffffffe46a: "/home/victor/Documents/CDemo/overflow/shellcode2/shellcode_host.out"
0x7fffffffe4ae: '\220' <repeats 21 times>, "\353#YUH\211\345@\200\354\200H\211M\220H1\300H\211E\230H\211\302H\215u\220H\213}\220\260;\017\005\350\330\377\377\377/bin/sh\200\337\377\377\377\177"
0x7fffffffe4fb: "LC_PAPER=zh_CN.UTF-8"

So I guess shell or c program can stip \x00 chararcter automatically.Maybe someone can explain why it happens.

But we have other technique to avoid \x00 in shellcode.

mov     $59, %al # not %rax 
sub    $0x80, %spl  # not %rsp
xorq    %rax,  %rax # construct 0 value with rax

You can refer to the article. https://www.exploit-db.com/docs/english/13019-shell-code-for-beginners.pdf

标签
shell
command-line
shellcode
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!