Home > Mobile >  Different results when running C program from Python Subprocess vs in Bash
Different results when running C program from Python Subprocess vs in Bash

Time:03-20

I've got a string/argument that I'd like to pass to a C program. It's a string format exploit.

'\xb2\x33\02\x08x%2$n' 

However, there seems to be different behaviours exhibited if I call the C program from Python by doing

subprocess.Popen(["env", "-i", "./practice", '\xb2\x33\02\x08x%2$n'])

versus

./practice '\xb2\x33\02\x08x%2$n'

The difference is that the string exploit attack works as expected when calling the script via subprocess, but not when I call it through the CLI.

What might the reason be? Thanks.

CodePudding user response:

Bash manpage says:

Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard. Backslash escape sequences, if present, are decoded as follows: [snipped]
\xHH the eight-bit character whose value is the hexadecimal value HH (one or two hex digits)

Then would you please try:

./practice $'\xb2\x33\02\x08x%2$n'
  • Related