I am trying to exploit a binary(64-bit) with gadget chaining technique. I have to pass the address
0x00007ffff7e10cf8
which holds the code for
pop rax;ret
On passing this input in little-endian format, my bash issues a warning saying :
bash: warning: command substitution: ignored null byte in input
and prints only till 7f ignoring the NULL bytes.
To make sure that I got the concept right that bash IGNORES and does not stop parsing on encountering the first NULL byte. I tried echo $(printf "\x00\x55\x44\x33\x22\x00\x34")and the output was
bash: warning: command substitution: ignored null byte in input
UD3"4
So yes, bash simply ignores the NULL bytes and keeps parsing till the end.
Is there a way to actually pass in NULL bytes in bash? I am using bash version 5.0.3
A shell script is not really the recommended way to patch binary files. However, it can be done with dd. Say, you have to write 0x00007ffff7e10cf8 at positions 0xff00-0xff07 of a file, overwriting the bytes which are already there (counting starts from 0). You can use
#!/bin/bash
input='original.bin'
output='patched.bin'
patch='\x00\x00\x7f\xff\xf7\xe1\x0c\xf8' # Keep an eye on endianness!
start="$((16#FF00))"
{
dd if="$input" bs="$start" count=1 2>/dev/null
printf "$patch"
dd if="$input" bs="$((start+${#patch}/4))" skip=1 2>/dev/null
} >"$output"