Passing arbitrary binary data from C# application to another application using command line arguments

Question

For academic purposes I want to try to exploit an strcpy function with a buffer overflow attack using C#, by passing some arbitrarily long string, that contains a specific binary data (raw bytes).

I am trying something similar to this C# code, but that obviously doesn't work:

static void Main(string[] args)
{
    string cPath = @"C:\Debug";
    var strCmdText =
        "0xCA" + "0xCA" + + "0xCA" + "0xCA" + "0xCA" + ...;
    string filename = Path.Combine(cPath, "Buffer.exe");
    var proc = System.Diagnostics.Process.Start(filename, strCmdText);
}

Answer 1

We assume that the target application uses single-byte characters as its argv . So...

1. Test application

Our test application is called Buffer.exe and its source code is:

void print_str(char* str)
{
    size_t length = strlen(str);
    printf("Line: '%s'\n", str);
    printf("Len : '%d'\n", length);
    printf("Hex :", length);

    for (size_t i = 0; i < length; i++)
    {
        printf("\t0x%02x", str[i]);
    }

    printf("\n");
}


int main(int argc, char* argv[])
{
    for (int i = 1; i < argc; i++)
    {
        char* str = argv[i];
        printf("Argument #%d:\n", i);
        print_str(str);
    }

    printf("Press enter to exit\n");
    getchar();
}

It just prints the passed arguments both as strings and as hex values, so for arguments "a1" "b2" it will print

 Argument #1: Line: 'a1' Len : '2' Hex : 0x61 0x31 Argument #2: Line: 'b2' Len : '2' Hex : 0x62 0x32 Press enter to exit 

2. Main "ingredients"

What we need are:

1. A way to turn bytes to analogous "single byte characters" (actually they will still be 2-byte UTF-16 chars on the C# side, but [OS should pass them to our receiver]/[Buffer.exe should interpret] as single byte characters with the same binary value we started on the C# side) - for that we need Encoding.Default (as corrected by @Tom Blodget) property and its Encoding.GetString method.
2. A way to ensure that our argument line is correctly escaped (so that 0x20-Space won't split our big argument into multiple and other particularities won't affect the command line either) - for simplicity we will just escape an entire line with quotes, but for a proper solution (at least on Win32) see https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ .

3. Implementation

Our argument creating application is the following:

public static String BytesToCommandLineArgument(Byte[] array)
{            
    var ascii = Encoding.Default.GetString(array);
    // "Escape" it here. Disclaimer - it is actually a wrong way to escape a command line argument.
    // See https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ 
    // for a way to do it correctly at least on Win32
    return String.Format("\"{0}\"", ascii); 
}

public static  void Main()
{
    try
    {
        var bytes = new Byte[] { 0x10, 0x31, 0x13, 0x61, 0x20 };

        using (var process = Process.Start(
            fileName: "Buffer.exe",
            arguments: BytesToCommandLineArgument(bytes)))
        {
            process.WaitForExit();
        }
    }
    catch (Exception exc)
    {
        Console.WriteLine(exc);
    }
    Console.WriteLine("Press any key...");
    Console.ReadKey(true);
}

4. Testing

As you can see our test byte array contains spaces and newlines, so we can at least be sure that our solution won't strip them (though as I've said something like quote on the end will break it).

 Argument #1: Line: '►1‼a ' Len : '5' Hex : 0x10 0x31 0x13 0x61 0x20 Press enter to exit 

PS1: Don't forget that this solution escapes command line incorrectly - https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ ! It may not cause any issues on most of the data in the possible dataspace, but it will certainly do on some data.

PS2: How do you convert Byte Array to Hexadecimal String, and vice versa? may be of use for you if you have a need to input the data dynamically.