c - Buffer overflow works in gdb but not without it -

-

i on centos 6.4 32 bit , trying cause buffer overflow in program. within gdb works. here output:

[root@localhost bufferoverflow]# gdb stack gnu gdb (gdb) red hat enterprise linux (7.2-60.el6_4.1) copyright (c) 2010 free software foundation, inc. license gplv3+: gnu gpl version 3 or later <http://gnu.org/licenses/gpl.html> free software: free change , redistribute it. there no warranty, extent permitted law.  type "show copying" , "show warranty" details. gdb configured "i686-redhat-linux-gnu". bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... reading symbols /root/bufferoverflow/stack...done. (gdb) r starting program: /root/bufferoverflow/stack process 6003 executing new program: /bin/bash missing separate debuginfos, use: debuginfo-install glibc-2.12-1.107.el6_4.2.i686 sh-4.1#

however when run program stack on own seg faults. why might be?

exploit development can lead serious headaches if don't adequately account factors introduce non-determinism debugging process. in particular, stack addresses in debugger may not match addresses during normal execution. artifact occurs because operating system loader places both environment variables , program arguments before beginning of stack:

process layout

since vulnerable program not take arguments, environment variables culprit. mare sure same in both invocations, in shell , in debugger. end, can wrap invocation in env:

env - /path/to/stack

and debugger:

env - gdb /path/to/stack ($) show env lines=24 columns=80

in above example, there 2 environment variables set gdb, can further disable:

unset env lines unset env columns

now show env should return empty list. @ point, can start debugging process find absolute stack address envision jump (e.g., 0xbffffa8b), , hardcode exploit.

one further subtle important detail: there's difference between calling ./stack , /path/to/stack: since argv[0] holds program how invoked it, need ensure equal invocation strings. that's why used /path/to/stack in above examples , not ./stack , gdb stack.

when learning exploit memory safety vulnerabilities, recommend use wrapper program below, heavy lifting , ensures equal stack offsets:

$ invoke stack         # call executable $ invoke -d stack      # run executable in gdb

here script:

#!/bin/sh  while getopts "dte:h?" opt ;   case "$opt" in     h|\?)       printf "usage: %s -e key=value prog [args...]\n" $(basename $0)       exit 0       ;;     t)       tty=1       gdb=1       ;;     d)       gdb=1       ;;     e)       env=$optarg       ;;   esac done  shift $(expr $optind - 1) prog=$(readlink -f $1) shift if [ -n "$gdb" ] ;   if [ -n "$tty" ];     touch /tmp/gdb-debug-pty     exec env - $env term=screen pwd=$pwd gdb -tty /tmp/gdb-debug-pty --args $prog "$@"   else     exec env - $env term=screen pwd=$pwd gdb --args $prog "$@"   fi else   exec env - $env term=screen pwd=$pwd $prog "$@" fi

Comments

Post a Comment

Popular posts from this blog

html5 - What is breaking my page when printing? -

-
Image
i have questioner , don't know why when printing it's creating break before first question. live demo (link) i able resolve issue removing fieldset container had wrapped in.. having fieldset element causing of fields grouped together, , since not fit on first page, being pushed second page. removing fieldset element, able firefox print first 2 questions on page 1 identically chrome. it seems not new problem firefox , fieldset not playing nice found old bugzilla ticket 2008 has persisted , still being commented on in 2014 (link) if retaining fieldset important, found solution else came here (link) <script type='text/javascript'> $(window).bind('beforeprint', function(){ $('fieldset').each( function(item) { $(this).replacewith($('<div class="fieldset">' + this.innerhtml + '</div>')); } ) }); $(window).bind(
Read more

c# - must be a non-abstract type with a public parameterless constructor in redis -

-
when save object, got below error must non-abstract type public parameterless constructor in order use parameter 't' in generic type or method 'servicestack.redis.redisclient.store<t>(t) redisclass.getinstnace().store(msg); // error here redisclass.getinstnace().save(); as third party's class, can not edit how save object? could create wrapper around third party object call constructor, store wrapper? e.g. public class mywrapper { public thirdpartyobject thirdpartyinstance { get; set; } public mywrapper() { thirdpartyinstance = new thirdpartyobject("constructors"); } }
Read more

ajax - PHP/JSON Login script (Twitter style) not setting sessions -

-
i'm having trouble getting twitter style login work properly, reason gets stuck at session_register("useremail"); session_register("userpass"); and doesn't redirect after it. if enter wrong account data, works , appropriate error message pops up. this full code: <?php if(empty($_post['email']) || empty($_post['password'])) { die(msg(0,"all fields required")); } if(!(preg_match("/^[\.a-z0-9_\-\+]+[@][a-z0-9_\-]+([.][a-z0-9_\-]+)+[a-z]{1,4}$/", $_post['email']))) die(msg(0,"you haven't provided valid e-mail")); $host="localhost"; $username="root"; $password="x"; $db_name="x"; $tbl_name="x"; mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select db"); $useremail=$_post['email']; $userpass=
Read more