2

I wrote my first buffer overflow exploit and it worked well with

./vulnerable $(cat payload)

but when I tried to launch it from a Python shell it didn't work

import os
os.system("./vulnerable $(cat payload)")

This does a segmentation fault. Can someone explain why? Is there a difference in the memory when it's launched in different environments?

Improve this question
1
  • Have you checked out how Python handles os.system? Commented Jan 18, 2022 at 23:54

2 Answers 2

Reset to default
1

Are you using a reliable pivot, like jmp esp or are you jumping to a fixed address on the stack? If you're using the latter then your addresses are likely misaligned, and you should consider using a reliable pivot instead. If the former you'll need to inspect the crash by enabling coredumps and loding the core into a debugger.

Improve this answer
1

The Shell Command

When you execute:

./vulnerable $(cat payload)

in the shell, the command is interpreted by the shell itself. Here’s what happens step-by-step:

  1. $(cat payload) is a shell substitution. The shell executes cat payload and replaces $(cat payload) with the output of that command.
  2. As a result, the ./vulnerable program is invoked with the contents of the payload file directly as its argument.

The Python Command

When you try the equivalent in Python:

import os
os.system("./vulnerable $(cat payload)")

the command fails with a segmentation fault. The reason for this lies in how the Python os.system function interacts with the shell and the substitution process. Let’s break this down:

1. Shell Substitution Issue:

The os.system function passes the entire string ./vulnerable $(cat payload) to a subshell. However, this subshell does not perform the substitution correctly in this context. Instead of substituting the output of cat payload into the command, it tries to pass the string $(cat payload) directly to ./vulnerable.

2. Argument Handling:

Unlike a direct shell execution, the Python os.system command does not process the $(...) syntax for command substitution. It requires explicit handling to achieve the same result.

Correct Approach

Here's an example how you could do it within Python:

import os

with open('payload', 'r') as file:
    payload = file.read().strip()

command = f"./vulnerable {payload}"
os.system(command)

In summary, the segmentation fault occurs because the command substitution $(cat payload) isn't processed correctly by os.system in Python. By reading the payload content into a variable and constructing the command string manually, you can achieve the intended behavior without encountering segmentation faults.

Improve this answer
1
  • Have you actually tested this? I just did, and the substitution worked fine. Do you have any references or demo code for the claim that the subshell doesn't process substitutions correctly? Or is this just something that ChatGPT said? Commented Jun 9, 2024 at 8:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.