How can I write a string, then a null byte, then more data using scanf() in the perspective of a buf-CodePudding

In the perspective of attacking with buffer overflow a more complex program, I a trying to use a scanf() call in the following way :

int main(int agrc, char * argv[]) {
    int len = 32;
    char username[32];
   
    printf("Please enter your username: ");
    scanf("%s", username); //scanf that interests me

  
    if (strcmp(username, "admin") == 0) {
        printf("Ok %s! Here is the desired data: ", username);
    } else {
        printf("Sorry you don't have access\n");
    } 
    
    return 0;
}

The objective would be to be able to write the buffer username with "admin", then a null byte, then some data to overflow on the len variable. This way the strcmp(username, "admin") would succeed and we would enter the condition, and at the same time would be able to overflow on len.

How can I form an input for scanf() that would do that ? My main problem is that I don't know how to enter a null byte using the scanf("%s", username) function, even though I know that the scanf("%s", username) will not stop at a null byte and will keep scanning.

CodePudding user response：

You can create the input using echo or printf in the shell, and send it as input to your program. You can do the following in Linux, or any other Unix based system.

$ printf  'admin\x00abcdefgh' | ./a.out # \x00 is the null byte
$ echo -e 'admin\x00abcdefgh' | ./a.out

CodePudding user response：

How can I form an input for scanf() that would do that ? My main problem is that I don't know how to enter a null byte using the scanf("%s", username) function, even though I know that the scanf("%s", username) will not stop at a null byte and will keep scanning.