How to pass \ x00 as an argument to a program?

Question

How to pass \ x00 as an argument to a program?

I have a small program where I want to pass shellcode as an argument. In shellcode there is a need to transfer \ x00. I tried the following command:

./program `python -c 'print "\x01\x00\x00\x00\x9c\xd8\xff\xbf"'`

But \ x00 is not registered at all! The arguments passed to the program are "\ x01 \ x9c \ xff \ xbf".

I do not think this is a problem with python, but rather with a shell that passes an argument. I am using a bash shell.

Now, how to make the shell pass the argument '\ x00'?

Thanks and respect,
Hrishikesh Murali

+4

command-line shell shellcode

Hrishikesh murali Sep 06 '11 at 7:17

source share

6 answers

l0b0 · Answer 1 · 2012-03-21T11:06:53+0000

If you check with wc , you will find that the NUL character is actually passed:

 $ python -c 'print "\x00"' | wc -c 2

To get rid of a new line at the end:

 $ python -c 'import sys; sys.stdout.write("\x00")' | wc -c 1

This data is passed to the script, but the problem is that NUL cannot be part of the variable value.

To find out how to do this, try passing this script:

 $ cat test.sh #!/usr/bin/env bash echo ${#1} $ ./test.sh "$(python -c 'import sys; sys.stdout.write("\x00")')" 0

Gone But there is a way to save the day - read from standard input using either a redirect or a channel:

 $ cat test2.sh #!/usr/bin/env bash wc -c $ ./test2.sh < <(python -c 'import sys; sys.stdout.write("\x00")') 1 $ python -c 'import sys; sys.stdout.write("\x00")' | ./test2.sh 1

Christopher creutzig · Answer 2 · 2011-09-06T07:35:12+0000

Not at all. Unix uses C-style strings for the arguments the command is called with, and they are character sequences with a null character.

What you can do is rewrite your program (or find a call option) to accept a parameter in your standard input. NUL bytes work very well and, in fact, are widely used, as a rule, as delimiters for file names, since they are pretty much the only thing that a file name can never contain. See find -print0 and xarg switch -0 for the most popular examples.

asxalex · Answer 3 · 2015-07-31T06:43:23+0000

the xargs command with the --null option can help:

 python -c 'print "\x30\x00\x31"' | xargs --null ./program

I tried this and it worked.

dogbane · Answer 4 · 2011-09-06T07:43:01+0000

I believe this is because Bash discards null characters.

To test this, I used the od command to unload the parameters in octal format using the following script:

 $ cat script.sh #!/bin/bash echo " $@ " | od -c

and launched it using:

 $ script.sh `python -c 'print "\x01\x00\x00\x00\x9c\xd8\xff\xbf"'` 0000000 001 234 330 377 277 \n 0000006

Zero characters are not printed.

To work around this problem, go to hexdump and then undo it in your program. Example:

 $ cat script.sh #!/bin/bash echo " $@ " | xxd -r -p | od -c $ script.sh `python -c 'print "\x01\x00\x00\x00\x9c\xd8\xff\xbf"' | xxd -p` 0000000 001 \0 \0 \0 234 330 377 277 \n 0000011

You will now see that null characters are printed.

renzor · Answer 5 · 2011-09-08T17:05:21+0000

You can try to place the shellcode in a file, and then read it and transfer it to an executable file.

sort of:

 $ cat shellcode.txt \xb5\x06\x40\x00\x00\x00\x00\x00 $ perl -e ' $a = `cat shellcode.txt`; chomp($a); print $ax 10; ' \xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00 \x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00 \xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00 \x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00\xb5\x06\x40\x00\x00\x00\x00\x00

use the above perl cmdline as an argument to the program

 $ ./program $(perl -e ' $a = `cat shellcode.txt`; chomp($a); print $ax 10; ')

Victor choy · Answer 6 · 2018-10-04T13:45:05+0000

You can try this,

 main.out 'perl -e 'print "xxxxssssdd\x23\x00\xaf"''

and

 perl -e 'print "xxxxssssdd\x23\x00\xaf"' | wc -c 13

This proves that \ x00 is passed.

By the way, in my test I find with the program the condition \ 00 in argv. You can learn argv for example

  x /8sb 0x7fffffffe46a 0x7fffffffe46a: "/home/victor/Documents/CDemo/overflow/shellcode2/shellcode_host.out" 0x7fffffffe4ae: '\220' <repeats 21 times>, "\353#YUH\211\ 345@ \200\354\200H\211M\220H1\300H\211E\230H\211\302H\215u\220H\213}\220\260;\017\005\350\330\377\377\377/bin/sh\200\337\377\377\377\177" 0x7fffffffe4fb: "LC_PAPER=zh_CN.UTF-8"

So I assume that the shell or c program may automatically provide for the \ x00 chararcter. Maybe someone can explain why this is happening.

But we have another way to avoid \ x00 in shellcode.

 mov $59, %al # not %rax sub $0x80, %spl # not %rsp xorq %rax, %rax # construct 0 value with rax

You can refer to the article. https://www.exploit-db.com/docs/english/13019-shell-code-for-beginners.pdf

How to pass \ x00 as an argument to a program?

More articles: