For academic purposes I want to try to exploit an strcpy
function with a buffer overflow attack using C#, by passing some arbitrarily long string, that contains a specific binary data (raw bytes).
I am trying something similar to this C# code, but that obviously doesn't work:
static void Main(string[] args)
{
string cPath = @"C:\Debug";
var strCmdText =
"0xCA" + "0xCA" + + "0xCA" + "0xCA" + "0xCA" + ...;
string filename = Path.Combine(cPath, "Buffer.exe");
var proc = System.Diagnostics.Process.Start(filename, strCmdText);
}
We assume that the target application uses single-byte characters as its argv . So...
Our test application is called Buffer.exe and its source code is:
void print_str(char* str)
{
size_t length = strlen(str);
printf("Line: '%s'\n", str);
printf("Len : '%d'\n", length);
printf("Hex :", length);
for (size_t i = 0; i < length; i++)
{
printf("\t0x%02x", str[i]);
}
printf("\n");
}
int main(int argc, char* argv[])
{
for (int i = 1; i < argc; i++)
{
char* str = argv[i];
printf("Argument #%d:\n", i);
print_str(str);
}
printf("Press enter to exit\n");
getchar();
}
It just prints the passed arguments both as strings and as hex values, so for arguments "a1" "b2" it will print
Argument #1: Line: 'a1' Len : '2' Hex : 0x61 0x31 Argument #2: Line: 'b2' Len : '2' Hex : 0x62 0x32 Press enter to exit
What we need are:
Our argument creating application is the following:
public static String BytesToCommandLineArgument(Byte[] array)
{
var ascii = Encoding.Default.GetString(array);
// "Escape" it here. Disclaimer - it is actually a wrong way to escape a command line argument.
// See https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
// for a way to do it correctly at least on Win32
return String.Format("\"{0}\"", ascii);
}
public static void Main()
{
try
{
var bytes = new Byte[] { 0x10, 0x31, 0x13, 0x61, 0x20 };
using (var process = Process.Start(
fileName: "Buffer.exe",
arguments: BytesToCommandLineArgument(bytes)))
{
process.WaitForExit();
}
}
catch (Exception exc)
{
Console.WriteLine(exc);
}
Console.WriteLine("Press any key...");
Console.ReadKey(true);
}
As you can see our test byte array contains spaces and newlines, so we can at least be sure that our solution won't strip them (though as I've said something like quote on the end will break it).
Argument #1: Line: '►1‼a ' Len : '5' Hex : 0x10 0x31 0x13 0x61 0x20 Press enter to exit
PS1: Don't forget that this solution escapes command line incorrectly - https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ ! It may not cause any issues on most of the data in the possible dataspace, but it will certainly do on some data.
PS2: How do you convert Byte Array to Hexadecimal String, and vice versa? may be of use for you if you have a need to input the data dynamically.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.