OS laggy after echoing a string in file descriptors 0,1,2 (stdin, stdout, stderr)

I was trying to exploit capacity leaking to a C program, by taking advantage of the non-existence of fclose() function to a file, that the program previously opened.

In short, the exploitation included the following command

sudo echo some_random_string >&3 

The thing is I run the same command using >&2, >&1 and >&0 as well (stdin, stdout, stderr).

And well, my pc lags since then (for example mouse click doesn’t work on browser from times to times)

Any idea about what is going on?

Каким образом можно связать python и php через stdin?

У меня есть некий скрипт на python, который служит лаунчером для запуска фриды (https://frida.re/docs/functions/). Возможно ли передать его stdout в php скрипт?

python3 loader.py | php reader.php 

Проблема заключается в том, что необходимо использовать sys.stdin.read(), чтобы предотвратить выход из приложения.

python3 -c 'print(1)' | xargs printf "data: %s" #Выводит data: 1 

А такой код не выводит ничего из-за блокировки stdin

python3 -c 'import sys; print(1); sys.stdin.read();' | xargs printf "data: %s" 

Imprimir conteúdo de stdin

Como imprimir o conteúdo¹ de stdin sem retirar (isto é, sem ler igual o scanf, que retira dados e armazena em uma variável fornecida) os caracteres¹ que lá estão? Como saber quantos caracteres ainda estão lá? Para estes objetivos stdin é um “arquivo normal”², isto é, permite leitura e escrita?

Segue o exemplo com entrada abcd efgh no primeiro scanf somente.

#include <stdio.h> int main(void){     char s[3][100]={0};     printf("Primeira string: ");     scanf("%s",s[0]);     printf("%s!!\n", s[0]);     // Neste momento "efgh\n" está no stdin, eu acho     printf("Segunda string: ");     scanf("%s",s[1]); // eu não pressiono enter aqui     printf("%s!!!!\n", s[1]); } 

Saída

 Primeira string: abcd efgh abcd!! Segunda string: efgh!!!! 

Eu quase nunca uso scanf, uso fgets, e com entradas de dados do teclado, então não tenho conhecimento sobre como cada função de entrada obtém seus dados de stdin, mas uma diferença que conheço entre fgets e scanf quanto ao critério de parada de leitura é que fgets considera válido o caractere ' ' (espaço).

¹ o conteúdo que vem de stdin é uma sequência de bytes/caracteres, certo?
² Resposta relacionada: Como contar o total de Caracteres de um arquivo txt, incluindo espaços e ‘\n’?

Outras perguntas relacionadas: Como realmente entender Streams?, O que é stream?, Como ler do stdin em C?

Sum ints on stdin

I have been meaning to learn LISP and for a small task I wanted to find out the sum of all integers on STDIN. So for

> clisp a.lisp 1 2 3^D 6 

My code is as follows. I have a small helper function, my core function and the invocation of it.

(defun read-int()   (parse-integer (read-line)))  (defun sum-stdin()     (handler-case       ; recurse       (+ (read-int) (acc-stdin))       ; base case: if eof       (error(c)         (values 0))))  (write (sum-stdin)) 

Is this according to “the lisp way”?

One thing I see is that it feels weird to basically have the base case of my recursive funtion what would otherwise be the catch block in a non-functional language. I don’t think there is a rule against it, but it just seems very unusual and hacky.

scp Pseudo-terminal will not be allocated because stdin is not a terminal

I’m trying to perform a scp call to move files between a local computer and my university remote servers.

The flow is to enter the details of the username, then it asks for an OTP password and if it’s correct, then you get asked to your own user password in the remote server.

The basic command I use is: For example – executing SSH:

$   ssh user@gw.cs.huji.ac.il (OTP) Password: ... (IDng) Password:  ###################################################################  You are using river-01 running debian64-5779 Linux  Please report problems to <system@cs>. ###################################################################  Last login: Thu May 23 20:59:31 2019 from 132.65.116.14 The only time a dog gets complimented is when he doesn't do anything.       -- C. Schulz <1|0> user@river-01:~% 

Note the option to create an ssh key is disabled, thus we have to go with this specific procedure.

Now I want to perform an SCP command to transfer “~/foo.txt” in the remote server to “./foo.txt”. I issue the command

scp -o user%river@gw.cs.huji.ac.il:~/foo.txt ./foo.txt 

But I Then get an error which’s related to TTY. Look at this output:

$   scp user%river@gw.cs.huji.ac.il:~/foo.txt ./foo.txt (OTP) Password: 454583 Pseudo-terminal will not be allocated because stdin is not a terminal. 

In other words, instead of asking the second password, it shows the Pesudo-terminal error.

I tried to set -o RequireTTY=force but it didn’t work. Is there any other way to handle this?

Thanks in advance!

Format String Vulnerability – Can’t read an address from stdin with read() in C

I wanted to exploit this code using format string vulnerability:

int jackpot;  void fmt_str(void) {     char buf[128];     puts("Give me a string to print");     read(0, buf, 128);     printf(buf);      printf("jackpot @ %p = %d [0x%08x]\n", &jackpot, jackpot, jackpot);     if (jackpot == 0x1337)         puts("You won!");     else         puts("You lost :(");  }  int main(void) {     srand(time(0));     setbuf(stdout, 0);      jackpot = rand();     fmt_str();     return 0; } 

The idea is using format string vulnerability in order to get “You won!”. By using objdump I found out that the address of the global variable jackpot is 0x0804a04c. Since i can’t use a Python script to input my string in argc, this is what i tried to do (working on gdb):

Give me a string to print AAAAAAAAAAAAAAAA '\x4c\xa0\x04\x08' BBBBBBBBBBBBBBB %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x 

and this is what i get with print(buf)

AAAAAAAAAAAAAAAA '\x4c\xa0\x04\x08' BBBBBBBBBBBBBBB bffff280 80 0 41414141 41414141 41414141 41414141 785c2720 785c6334 785c3061 785c3430 20273830 42424242 42424242 42424242 20424242 25207825 78252078 20782520 25207825 78252078 20782520 25207825 78252078 20782520 

Basically, my intention is having the jackpot‘s address between the 41s and the 42s, so that I can better locate it in the printed string, and perform an attack by changing %x to %n. The problem is that with this way of reading input, I can’t write the target address in the string, so I can’t perform the attack. What do you suggest? The program is compile with the stack made executable, with -fno-stack-protection and with ASLR disabled.

Why does writing to the console a process’s STDIN is attached to doesn’t send input to the application itself?

Taken from this answer:

Terminal 1:

[ciupicri@hermes ~]$   cat shows on the tty but bypasses cat 

Terminal 2:

[ciupicri@hermes ~]$   pidof cat 7417 [ciupicri@hermes ~]$   echo "shows on the tty but bypasses cat" > /proc/7417/fd/0 

I don’t quite understand why writing to the file descriptor corresponding to the stdin of the cat process bypasses the process itself, but appears on the terminal. The relation among the terminal, file descriptor, device file, console are confusing to me. Also, I feel sometimes these are abused in technical writing. Can someone enlighten me?

Sumfony console, как читать stdin

Пишу простое консольное приложение с командами на основе классов Symfony\Component\Console\Command\Command.

Возникла необходимость читать ввод через пайп, пришлось сделать вот так: $ params = stream_get_contents(fopen("php://stdin", "r"));. Вопрос, есть ли уже в symfony/console реализация такого чтения?