I am trying to perform a buffer overflow attack on a program for a class assignment. Both the attack program as well as the vulnerable programme is written by me.
The vulnerable code uses scanf to read data from stdin.
./vulnerable < malicious_payload_file.txt works fine.
more malicious_payload | ./vulnerable and echo JUNK_JUNK_JUNK_JUNK | ./vulnerable also works as expected.
However, i would like to use the attack programme to keep supplying incrementally longer payloads till the programme crashes. So, I need to dynamically generate larger payloads of junks. I am using system ("./vulnerable"); to repeatedly call and test for an abnormal exit.
How do I specify such a payload?
Is there a way to run ./vulnerable < malicious_payload_binary or in some manner such that I do not have to put the malicious payload in a file, but can specify it in the command line?
Rather than trying to use the command line, you might try using popen instead of system:
FILE *fp = popen("./vulnerable", "w");
// write stuff to fp -- it goes to vulnerable's stdin
int exitcode = pclose(fp);
The exitcode you get from pclose is the same as what you would have got from system, had you used another process to create the data and piped it via the shell to ./vulnerable