Buffer overflow works in gdb but not without it

by

Exploit development can lead to serious headaches if you don’t adequately account for factors that introduce non-determinism into the debugging process. In particular, the stack addresses in the debugger may not match the addresses during normal execution. This artifact occurs because the operating system loader places both environment variables and program arguments before the beginning of the stack:

Process layout

Since your vulnerable program does not take any arguments, the environment variables are likely the culprit. Mare sure they are the same in both invocations, in the shell and in the debugger. To this end, you can wrap your invocation in env:

env - /path/to/stack

And with the debugger:

env - gdb /path/to/stack
($) show env
LINES=24
COLUMNS=80

In the above example, there are two environment variables set by gdb, which you can further disable:

unset env LINES
unset env COLUMNS

Now show env should return an empty list. At this point, you can start the debugging process to find the absolute stack address you envision to jump to (e.g., 0xbffffa8b), and hardcode it into your exploit.

One further subtle but important detail: there’s a difference between calling ./stack and /path/to/stack: since argv[0] holds the program exactly how you invoked it, you need to ensure equal invocation strings. That’s why I used /path/to/stack in the above examples and not just ./stack and gdb stack.

When learning to exploit with memory safety vulnerabilities, I recommend to use the wrapper program below, which does the heavy lifting and ensures equal stack offsets:

$ invoke stack         # just call the executable
$ invoke -d stack      # run the executable in GDB

Here is the script:

#!/bin/sh

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

More Related Contents:

  1. Why is the gets function so dangerous that it should not be used?
  2. How to prevent scanf causing a buffer overflow in C?
  3. Do you use the TR 24731 ‘safe’ functions? [closed]
  4. Why should you use strncpy instead of strcpy?
  5. Why are strlcpy and strlcat considered insecure?
  6. Why is strtok() Considered Unsafe?
  7. How can a Format-String vulnerability be exploited?
  8. Why didn’t gcc (or glibc) implement _s functions?
  9. How to turn off gcc compiler optimization to enable buffer overflow
  10. Why is printf with a single argument (without conversion specifiers) deprecated?
  11. Why does this memory address %fs:0x28 ( fs[0x28] ) have a random value?
  12. How to determine the size of an allocated C buffer? [duplicate]
  13. Why is the gets function so dangerous that it should not be used?
  14. Why is the fgets function deprecated?
  15. Using a Single system() Call to Execute Multiple Commands in C
  16. Extracting string from char array specified by prefix and suffix
  17. Are there any platforms where pointers to different types have different sizes?
  18. The “backspace” escape character ‘\b’: unexpected behavior?
  19. Is there a a way to achieve closures in C
  20. How to turn off buffering of stdout in C
  21. What is the purpose of the h and hh modifiers for printf?
  22. Realistic usage of the C99 ‘restrict’ keyword?
  23. How to set CPU affinity for a process from C or C++ in Linux?
  24. How is the result struct of localtime allocated in C?
  25. What does !!(x) mean in C (esp. the Linux kernel)?
  26. Why do you specify the size when using malloc in C?
  27. Why can´t we assign a new string to an char array, but to a pointer?
  28. Regular expression for a string literal in flex/lex
  29. Difference between dereferencing pointer and accessing array elements
  30. Why the ASCII value of a digit character is equal to the value plus ‘0’?

Leave a Comment