Re: Overflowing an interactive app

[Michal Zalewski <lcamtuf () coredump cx>]

On Tue, 12 Aug 2003, Steven Micallef wrote:

> I'm trying to write a buffer overflow for an application that prompts
> the user for input. Upon supplying the (over)lengthy input, the app
> segfaults. My question is, what method would I use in my exploit to
> supply the overflow string? I think using popen() and then fprintf() is
> the best way to do this, but I'm new to this, so I was hoping for some
> suggestions.

You didn't mention the operating system, or the kind of interaction the
application requires. If it runs in a dumb terminal mode, you can indeed
use pipes - and you usually don't even have to use popen(), you can rely
on pipe support of your shell ('exploit | application') on systems that
support this. Or, better yet, you don't need to code an exploit at all,
just put a shellcode in a file, then run 'buggy_app <shellcode'.

If you mean *nix, chances are, the application uses certain more advanced
terminal features and will refuse to run with stdin not pointing to a
pseudo-terminal (su, sudo, passwd, screen and many other applications come
to mind). In this case, you need a way to put characters into its input
queue, which is quite OS-dependent and often poorly documented. On Linux,
you can do it with TIOCSTI ioctl.

If the application runs under X11 (or Windows or what not), it gets even
more fuzzy, you need to send the right type of messages to the right
window, some more coding.

So, you probably need to give us more data to get more specific answers.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-12 18:41 --