program input redirected via python subprocess

Question

Thought I would be able to find this on google but couldn't. I am trying to exploit a binary written in C using an overflow. In gdb, I've got the overflow landing on the correct bytes to redirect function return, but can't seem to get the right values there to land on my code.

When you run the program, it asks for two inputs from stdin, and I need to be able to supply hex values for some of these. Escaping like \x## does not work at the prompt. I figure I can do something with the python subprocess library.

So far, importing subprocess and using p=subprocess.Popen("bin", stdin=subprocess.PIPE) and p.stdin.write("sometext" + "\xhh\xhh\xhh\xhh") at the prompts is not working like I had hoped.

Any suggestions?

Thanks!

Answer 1

parent.py:

import subprocess
import sys

p = subprocess.Popen([sys.executable, 'sub.py'], stdin=subprocess.PIPE)
p.stdin.write('foo')  # not even a newline seems to be required for this to work, oddly
# p.stdin.flush()  # optional; seems like not required

_, _ = p.communicate()  # this is required--otherwise it just seems to block

sub.py:

print raw_input()

Then running parent.py outputs foo as expected.

If you care about the return value of communicate(), just replace _, _ with out, err (or e.g. out, _ if you only care about the STDOUT); I just like to mark unused variables with _, although one could simply completely ignore the return value of communicate()... but then it would look like communicate returns nothing.

See: http://docs.python.org/2/library/subprocess.html#subprocess.Popen.communicate

UPDATE:

Looks like you can also just:

p = subprocess.Popen([sys.executable, 'sub.py'], stdin=subprocess.PIPE)
_, _ = p.communicate(input='foo')