1

I am presently using a python script to run a c executable like

os.system("./a.out \"%s\" " %p)

There are many binary instruction available to me (i1,i2,i3.... i10 to be exact). I am generating the permutations of these instructions (of length 1,2,3...10) using itertools in python. The string payload p (in snippet above) is one such permutation. I am measuring the time taken for each permutation as follows:

start = time.clock()
os.system("./a.out \"%s\" " %p)
print time.clock() - start

(This may not be best way to measure time. But that is a subject of another question.)
Now for some permutations I get segmentation fault and the python script proceeds to another permutation. But for some permutations, I get no response (like stuck in a infinite loop)like:

58 60 452 547 583 649 756 777 932 965 
key  Not found
(Nothing happens after this. This is due to bad combination 
 of instructions or bad payload.
I have to press ctrl C to proceed to next permutation)
^C---------------[9 8 ]------------
The gadget seq is [mov,ret xor eax,eax,ret ] and time taken is 
0.000254 (this is the bad permutation of instructions)

(Next permutation.. )

After I press Ctrl + C, python script goes to next permutation. To put it more clearly

perm = itertools.permutations(gadget_list,2) #perm is list of all permutations of 2 instructions
for string in list(perm):
#generate the payload p from string which is one of the permutation
#feed it to c program and measure time
    start = time.clock()
    os.system("./a.out \"%s\" " %p)
    print time.clock() - start

Now for longer length of permutation it becomes tedious to press Ctrl C for every bad payload. Is there any way by which I can automate killing/stopping the C program (which I was doing by pressing Ctrl C) which gets stuck due to bad payload and proceed to next permutation?

Improve this question

2 Answers 2

Reset to default
1

to gain more control of the child process, you need to use subprocess module. 

import time
from subprocess import Popen
from shlex import split

proc = Popen(split("./a.out '%s'" % p))

rtime, timeout = 0, 10
while rtime < timeout:
    rc = proc.poll()
    if rc is not None:
       break # process finished.
    time.sleep(1)
    rtime += 1
else:
    proc.kill()
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So do I replace my os.system() line with the above snippet? Where should I write my start = time.clock and print time.clock()-start?
'''start''' after Popen line, '''end''' at the bottom
0

Try rather something like:

os.system("timeout 5 ./a.out \"%s\" " %p)

for killing the process after 5 seconds for instance.

Just open a shell and try:

timeout 2 yes

to see.

Improve this answer

4 Comments

With this solution I don't need to type Ctrl C. But is there any way to know that timeout happened, so that in that particular permutation I can print a message that this payload is bad?
@shane Yes, the return value should be fine; compare { timeout 2 sleep 1; } && echo ok with { timeout 2 sleep 3; } && echo ok and check that when the timeout is expired, the return value of the timeout command is a failure. Thus, try something like result = os.system("timeout ..."). See docs.python.org/2/library/os.html#os.system "On Unix, the return value is the exit status of the process"
I tried k = os.system("timeout 2 sleep 1") and printed k. The value of k was 0. Then I tried k = os.system("timeout 2 sleep 3"). The value of k this time was 31744. So I can use this difference to find when timeout happened? But according to this link: unix.stackexchange.com/questions/205076/… , I thought the value of k in 2nd case will be 124 rather than 31744.
I got it. os.system returns 16 bit number. The first 8 bits tell you exit code and last 8 bits tell the signal used by os to close the command. 31744 = 0x7c00. and 7c in decimal is 124. stackoverflow.com/questions/6466711/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.