从Python传递shellcode作为命令行参数

Question

I am currently preparing a small presentation about computer security among my fellow students. To get them at least a bit excited I wanted to demonstrate how the wrong use of the strcpy-function inc C can be exploited. This is the code of the vulnerable program:

#include<string.h>
#include<stdio.h>
void function(char *buffer1)
{
 char buffer2[5];
 strcpy(buffer2,buffer1);
}

int main (int argc, char **argv)
{
 function(argv[1]);
 return 0;
}

Just using the command line I was able to crash the application by calling it with

test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ

Which gave me the correct 0x4D4C4B4A (MLKJ) for the EIP. It also works if I call it from Python:

os.system("test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ")

However, if I want to put an address instead of JKLM, like this:

 os.system("test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")

It gives me following output near the ESP on the Stack:

0028cca0  e4 21 d7 41 42 43 44 45-46 47 48 49 75 c2 9a 21  .!.ABCDEFGHIu..!
0028ccb0  1b 4e 4f 50 51 52 53 54-55 56 57 58 59 5a 00 00  .NOPQRSTUVWXYZ..

Here the 75 c2 9a 21 matters because it is almost what I expected, except the 0x1B, which is the ASCII Character for ESCAPE, is replaced by 0xC2. When I change the order of the address, so it looks like this: \\x21\\x1b\\x75\\x9a, the 9a gets replaced by the same mysterious C2. Does anyone know whats the matter with the code? Am I missing some basic point or is it some kind of protection against stack based buffer overflows?

Thanks,

Answer 1

It looks like your text is undergoing UTF-8 conversion. Note that your original bytes:

75 9a 21 1b
   ^^

are replaced by

75 c2 9a 21 1b
   ^^^^^

I've highlighted the UTF-8 encoded byte. If you're using Python 3, try:

os.system(b"test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")

The b"" indicates that the data is a byte sequence, and shouldn't be converted from Unicode to the default encoding (which in your case seems to be UTF-8).