How to pass \x00 as argument to program?

Question

I have a small program where I wish to pass shellcode as argument. In the shellcode, there is a necessity to pass \x00. I tried the following command:

./program `python -c 'print "\x01\x00\x00\x00\x9c\xd8\xff\xbf"'`

But the \x00 doesn't get registered at all! The arguments passed to the program are "\x01\x9c\xff\xbf".

I don't think it's a problem with python, but rather with the shell which passes the argument. I am using the bash shell.

Now, how do I force the shell to pass the argument '\x00'?

Thanks and Regards,
Hrishikesh Murali

Answer 1

Not at all. Unix uses C-style strings for the arguments a command is invoked with, and they are NUL-terminated character sequences.

What you can do is to rewrite your program (or find an invocation variant) to accept the parameter in its standard input. NUL bytes work just fine there and are, in fact, widely used, typically as separators for file names, since they are pretty much the only thing a file name can never contain. See find's -print0 switch and xarg's switch -0 for the arguably most popular examples.

Answer 2

If you check with wc, you'll find that the NUL character is indeed passed:

$ python -c 'print "\x00"' | wc -c
2

To get rid of the newline at the end:

$ python -c 'import sys; sys.stdout.write("\x00")' | wc -c
1

This data is passed to the script, but the problem is that NUL can not be part of a variable value.

To see how, try to pass this to a script:

$ cat test.sh 
#!/usr/bin/env bash
echo ${#1}
$ ./test.sh "$(python -c 'import sys; sys.stdout.write("\x00")')"
0

Gone. But there's a way to save the day - Read from standard input, using either redirection or a pipe:

$ cat test2.sh 
#!/usr/bin/env bash
wc -c
$ ./test2.sh < <(python -c 'import sys; sys.stdout.write("\x00")')
1
$ python -c 'import sys; sys.stdout.write("\x00")' | ./test2.sh
1