scp Pseudo-terminal will not be allocated because stdin is not a terminal

I’m trying to perform a scp call to move files between a local computer and my university remote servers.

The flow is to enter the details of the username, then it asks for an OTP password and if it’s correct, then you get asked to your own user password in the remote server.

The basic command I use is: For example – executing SSH:

$   ssh user@gw.cs.huji.ac.il (OTP) Password: ... (IDng) Password:  ###################################################################  You are using river-01 running debian64-5779 Linux  Please report problems to <system@cs>. ###################################################################  Last login: Thu May 23 20:59:31 2019 from 132.65.116.14 The only time a dog gets complimented is when he doesn't do anything.       -- C. Schulz <1|0> user@river-01:~% 

Note the option to create an ssh key is disabled, thus we have to go with this specific procedure.

Now I want to perform an SCP command to transfer “~/foo.txt” in the remote server to “./foo.txt”. I issue the command

scp -o user%river@gw.cs.huji.ac.il:~/foo.txt ./foo.txt 

But I Then get an error which’s related to TTY. Look at this output:

$   scp user%river@gw.cs.huji.ac.il:~/foo.txt ./foo.txt (OTP) Password: 454583 Pseudo-terminal will not be allocated because stdin is not a terminal. 

In other words, instead of asking the second password, it shows the Pesudo-terminal error.

I tried to set -o RequireTTY=force but it didn’t work. Is there any other way to handle this?

Thanks in advance!

Format String Vulnerability – Can’t read an address from stdin with read() in C

I wanted to exploit this code using format string vulnerability:

int jackpot;  void fmt_str(void) {     char buf[128];     puts("Give me a string to print");     read(0, buf, 128);     printf(buf);      printf("jackpot @ %p = %d [0x%08x]\n", &jackpot, jackpot, jackpot);     if (jackpot == 0x1337)         puts("You won!");     else         puts("You lost :(");  }  int main(void) {     srand(time(0));     setbuf(stdout, 0);      jackpot = rand();     fmt_str();     return 0; } 

The idea is using format string vulnerability in order to get “You won!”. By using objdump I found out that the address of the global variable jackpot is 0x0804a04c. Since i can’t use a Python script to input my string in argc, this is what i tried to do (working on gdb):

Give me a string to print AAAAAAAAAAAAAAAA '\x4c\xa0\x04\x08' BBBBBBBBBBBBBBB %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x 

and this is what i get with print(buf)

AAAAAAAAAAAAAAAA '\x4c\xa0\x04\x08' BBBBBBBBBBBBBBB bffff280 80 0 41414141 41414141 41414141 41414141 785c2720 785c6334 785c3061 785c3430 20273830 42424242 42424242 42424242 20424242 25207825 78252078 20782520 25207825 78252078 20782520 25207825 78252078 20782520 

Basically, my intention is having the jackpot‘s address between the 41s and the 42s, so that I can better locate it in the printed string, and perform an attack by changing %x to %n. The problem is that with this way of reading input, I can’t write the target address in the string, so I can’t perform the attack. What do you suggest? The program is compile with the stack made executable, with -fno-stack-protection and with ASLR disabled.

Why does writing to the console a process’s STDIN is attached to doesn’t send input to the application itself?

Taken from this answer:

Terminal 1:

[ciupicri@hermes ~]$   cat shows on the tty but bypasses cat 

Terminal 2:

[ciupicri@hermes ~]$   pidof cat 7417 [ciupicri@hermes ~]$   echo "shows on the tty but bypasses cat" > /proc/7417/fd/0 

I don’t quite understand why writing to the file descriptor corresponding to the stdin of the cat process bypasses the process itself, but appears on the terminal. The relation among the terminal, file descriptor, device file, console are confusing to me. Also, I feel sometimes these are abused in technical writing. Can someone enlighten me?

Sumfony console, как читать stdin

Пишу простое консольное приложение с командами на основе классов Symfony\Component\Console\Command\Command.

Возникла необходимость читать ввод через пайп, пришлось сделать вот так: $ params = stream_get_contents(fopen("php://stdin", "r"));. Вопрос, есть ли уже в symfony/console реализация такого чтения?