I have this little exploitable file:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

// gcc -z execstack -z norelro -fno-stack-protector -o format0 format0.c
int target;

void vuln(char *string)
{
    printf(string);
    if (target){
        printf("Tyes yes eys");
    }
}
int main(int argc, char **argv)

{
    vuln(argv[1]);


    return 0;
}

It's very simple, I compile like this:

gcc file.c -o file -no-pie

and then I run it like this get it to leak some values:

./file %x
38b3fda8

Which works prefectly. But I want to automate this a bit, using python. So I try the following:

$ ./form &(python -c "print('%x'*3)")
[1] 30633
%x%x%x
[1]   Done                    ./form

and this looks super weird. Firstly, the string format error is not triggered. Then it prints it's own name and some other random stuff. I also tried doing this in gdb, with the same result.

How do I give input with python like every other tutorial online?

CodePudding user response：

I think you meant:

./form $(python -c "print('%x'*3)")

What ./form &(python -c "print('%x'*3)") does is:

/form &
(python -c "print('%x'*3)")

i.e. form is run in the background. (Process 30633) in your example. Python is run in the foreground in a subshell. (And prints out %x%x%x to your terminal)