python -c 'print("\x90\x32\x45\x89")' | ./vuln
Let’s say the address of a shell function is
0x89453290. The below snippet passes that address via stdin but keeps stdin open afterwards using the
cat program. With
cat, you can interact with the shell after injecting the bytes.
(python -c 'print("\x90\x32\x45\x89")'; cat) | ./vuln
./vuln < myfile.txt
./vuln $(python -c 'print "\x41" * 36')
r < <(python -c 'print "\x41" * 36')
r < myfile.txt
r $(python -c 'print "\x41" * 36')
localhost:666 is running a vulnerable process that takes input via stdin.
python -c 'print "\xef\xbe\xad\xde"' | nc -vv localhost 666
-vv flags just make the output very verbose.
Some programs take their input from
argv instead of stdin. However, it can be inconvenient to send large amounts of data to argv, so we can use a special program called
xargs to help us.
xargs takes whatever values that come into its stdin and uses them as arguments to the program given as its own argument.
The rm program on Unix systems receives the file names it should delete from argv. This could be cumbersome if you need to delete all files in a directory (let’s pretend regex expansions and wildcards don’t exist for this example). A potential solution is the following command.
# Deletes all non-hidden files in the current directory
ls | xargs rm
The stdout of ls is piped to the stdin of xargs, and xargs runs rm using that stdin as arguments to rm.