1

I need to do a buffer overflow for my system security course. Therefore I do have a program(called canary) I need start which asks for a input string (read()). I need to calculate a canary(random canary built with PID and time) for a successful buffer overflow. I already wrote a program(getcanary) which gets me the right canary. The problem: I try to start canary in a extra terminal, then get the PID of it, then calculate the program followed by a write to canary's STDIN. The last thing is where I have a Problem.

#!/bin/bash
echo "start canary"
x-terminal-emulator -e ./canary &
sleep 1
PID=$(pgrep canary)
CANARY=$(./getcanary $PID)

How can I write the command to the extra terminal? I already tried several solutions, 

echo "cmd" > /proc/$PID/fd/0

is one of it I also tried

mkfifo fifo
cat > fifo &
./canary < fifo
echo "cmd" > fifo

some other solutions are not allowed by my environment, as the script must run on a clean install of xubuntu, so I can't use screen or tmux

I hope you can help me, Thank you! :)

PS.: I'm sorry if I misunderstood any of these solutions I tried, I'm not very familiar with shell scripting.

asked Oct 29, 2017 at 20:26
9
  • Put the write into the code that's performed inside the terminal emulator, rather than trying to do it from outside. For example: x-terminal-emulator -e 'echo "cmd" | ./canary' Commented Oct 29, 2017 at 20:31
  • Thank you, the problem is, I need the canary first to build the right canary (otherwise the buffer overflow won't be successful) therefore I need the PID of the canary process and therefore I need to start the process at first Commented Oct 29, 2017 at 20:37
  • Let's back up here a bit. Why are you running a terminal emulator at all? Commented Oct 29, 2017 at 20:42
  • The easy way to do this is to run the program as a bash coproc, assuming you don't really need the terminal. Commented Oct 29, 2017 at 20:43
  • 1
    coproc { canary; } puts the PID of the canary in $COPROC_PID, lets you write to it with echo "something" >&${COPROC[1]}, and lets you read from it with read varname <&${COPROC[0]}. Commented Oct 29, 2017 at 20:47

1 Answer 1

2

Write to the terminal, not to the running process!

#!/bin/bash
echo "start canary"
x-terminal-emulator -e ./canary &
termpid=$!
sleep 1
xvkbd -window $(xdotool search --sync --pid $termpid) -text "echo Hello world!\n"
answered Oct 29, 2017 at 21:18
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.