134 0x300
reader@hacking:~/booksrc $ perl -e 'print "\x41" x 20;'
AAAAAAAAAAAAAAAAAAAA
In addition, string concatenation can be done in Perl with a period (.).
This can be useful when stringing multiple addresses together.reader@hacking:~/booksrc $ perl -e 'print "A"x20. "BCD". "\x61\x66\x67\x69"x2. "Z";'
AAAAAAAAAAAAAAAAAAAABCDafgiafgiZ
An entire shell command can be executed like a function, returning its
output in place. This is done by surrounding the command with parentheses
and prefixing a dollar sign. Here are two examples:reader@hacking:~/booksrc $ $(perl -e 'print "uname";')
Linux
reader@hacking:~/booksrc $ una$(perl -e 'print "m";')e
Linux
reader@hacking:~/booksrc $
In each case, the output of the command found between the parentheses
is substituted for the command, and the command uname is executed. This
exact command-substitution effect can be accomplished with grave accent
marks (`, the tilted single quote on the tilde key). You can use whichever
syntax feels more natural for you; however, the parentheses syntax is easier
to read for most people.reader@hacking:~/booksrc $ uperl -e 'print "na";'me
Linux
reader@hacking:~/booksrc $ u$(perl -e 'print "na";')me
Linux
reader@hacking:~/booksrc $
Command substitution and Perl can be used in combination to quickly
generate overflow buffers on the fly. You can use this technique to easily test
the overflow_example.c program with buffers of precise lengths.reader@hacking:~/booksrc $ ./overflow_example $(perl -e 'print "A"x30')
[BEFORE] buffer_two is at 0xbffff7e0 and contains 'two'
[BEFORE] buffer_one is at 0xbffff7e8 and contains 'one'
[BEFORE] value is at 0xbffff7f4 and is 5 (0x00000005)
[STRCPY] copying 30 bytes into buffer_two
[AFTER] buffer_two is at 0xbffff7e0 and contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] buffer_one is at 0xbffff7e8 and contains 'AAAAAAAAAAAAAAAAAAAAAA'
[AFTER] value is at 0xbffff7f4 and is 1094795585 (0x41414141)
Segmentation fault (core dumped)
reader@hacking:~/booksrc $ gdb -q
(gdb) print 0xbffff7f4 - 0xbffff7e0
$1 = 20