Hosting Provided By

Re: Overflowing an interactive app

From: Michal Zalewski <lcamtuf(at)coredump.cx>
Date: Tue Aug 12 2003 - 12:50:49 EDT

On Tue, 12 Aug 2003, Steven Micallef wrote:

> I'm trying to write a buffer overflow for an application that prompts

You didn't mention the operating system, or the kind of interaction the application requires. If it runs in a dumb terminal mode, you can indeed use pipes - and you usually don't even have to use popen(), you can rely on pipe support of your shell ('exploit | application') on systems that support this. Or, better yet, you don't need to code an exploit at all, just put a shellcode in a file, then run 'buggy_app <shellcode'.

If you mean *nix, chances are, the application uses certain more advanced terminal features and will refuse to run with stdin not pointing to a pseudo-terminal (su, sudo, passwd, screen and many other applications come to mind). In this case, you need a way to put characters into its input queue, which is quite OS-dependent and often poorly documented. On Linux, you can do it with TIOCSTI ioctl.

If the application runs under X11 (or Windows or what not), it gets even more fuzzy, you need to send the right type of messages to the right window, some more coding.

So, you probably need to give us more data to get more specific answers.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [
http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-12 18:41 --

Received on Tue Aug 12 14:20:26 2003

This message: [ Message body ]
Next message: xenophi1e: "Re: Bug in Norton FireWall 2003"
In reply to Steven Micallef: "Overflowing an interactive app"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:41 EDT