Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Pwntools
  • Sending data over the network using PwnTools
  • Passing input to program parameters
  • Passing hex to gdbserver
  • Passing hex to gdb
  • Passing hex to radare2
  • Passing hex using echo
  • Passing input to read()
  • Passing hex using Python
  • Passing hex from stdin during program execution
  • Passing predefined input and then reading from stdin

Was this helpful?

  1. Binary Exploitation

Passing Input

PreviousExploit Protection BypassingNextFuzzing

Last updated 2 years ago

Was this helpful?

Often, you need to pass hex input to your programs, which may be difficult to do. Here are some techniques to accomplish this.

Pwntools

is really useful for passing data, both locally and remotely.

Sending data over the network using PwnTools

Connect:

io = pwn.remote(RHOST, RPORT)

Receive data:

# Receive until newline
io.recvline()

# Receive an EXACT NUMBER of bytes
io.recvn(length) 

# Receive UP TO a number of bytes and RETURN IMMEDIATELY when data becomes available. 
# Warning: You might not get all the data this way.
io.recv(length) 

Send data:

io.send(bytes)

Convert values to bytes:

pwn.p32(value)

Receive as much input as you're given:

while io.can_recv():
    print(io.recv())

Passing input to program parameters

Passing hex to gdbserver

gdbserver 0.0.0.0:22222 ./target "$(perl -e 'print "\x41\x41\x41\x41\x41\x41"')"

Passing hex to gdb

This is a bit convoluted but it works:

gdb --args ./target "$(perl -e 'print "\x41\x41\x41\x41"')"

Passing hex to radare2

Warning: This didn't work properly for a more complex payload :(

You'll probably have better luck if you start up a gdbserver with hex parameters and then connect to that gdbserver using radare2. But it might still be unreliable. Honestly, GDB sucks but at least it's reliable, so consider using that...

You need to make a radare2 profile, args.rr2:

#!/usr/bin/rarun2
arg1=\x41\x41\x41\x41

Then pass in that profile:

r2 -A -d -r args.rr2 myexecutable

Passing hex using echo

You can use echo -e:

echo -e '\x41'
A

Or you can use this:

echo  $'\x41'
A

The following will pass the letter “A” to some-program as a program parameter:

./some-program "$(echo -n -e '\x41')"

Warning: This doesn't want to work well together with radare2, which inserts unnecessary symbols (like a `\` symbol before a space)

Here's how I got the hex representation of a payload. I'm sure there's a better way to do it, but it works:

for i in payload: print('{}{}'.format('\\x', hex(i)[2:]), end='')

Passing input to read()

Passing hex using Python

Passing hex from stdin during program execution

If you want to pass hex on the command line by typing it in yourself via stdin, then this is one way to do it:

echo -e "$(cat -)" | ./net-zero 

You’re reading stdin with cat, passing that into echo -e and piping it into net-zero. The good thing is that you don’t have to read the input before the program is executed, you can do it while it’s executed.

So what will happen is that net-zero will execute and ask for your input. You can type in some input, for example \xae\r\x7fJ , add a newline and press CTRL+d. CTRL+d passes the END OF TRANSMISSION byte to cat, which stops reading from stdin and passes the input to the program.

If you’re wondering where the \xae\r\x7fJ came from, then that is the format string representation of the integer 1249840558, which I got using Python:

python
>>> import struct
>>> struct.pack("I",1249840558)
'\xae\r\x7fJ'

Passing predefined input and then reading from stdin

This will read predefined input from input.txt into stack-five, after which input from stdin will be passed. This is useful for getting a shell and then passing commands to that shell from stdin.

(cat ~/input.txt; cat) | /opt/phoenix/amd64/stack-five

You can create a script to output the necessary bytes. Take a look at this for an example.

Pwntools
Solution
Timestamped explanation