c++ - Send piped input in GDB at breakpoint rather than initially -
i've researched question, , closest answer find this. gdb - debugging piped input (not arguments)
i need person asking, however, need able send input after having viewed portion of program run.
this code i'm looking @ in gdb
#define secret1 0x44 #define secret2 0x55 int main(int argc, char *argv[]) { char user_input[100]; int *secret; int int_input; int a, b, c, d; /* other variables, not used here.*/ /* secret value stored on heap */ secret = (int *) malloc(2*sizeof(int)); /* getting secret */ secret[0] = secret1; secret[1] = secret2; printf("the variable secret’s address 0x%8x (on stack)\n", &secret); printf("the variable secret’s value 0x%8x (on heap)\n", secret); printf("secret[0]’s address 0x%8x (on heap)\n", &secret[0]); printf("secret[1]’s address 0x%8x (on heap)\n", &secret[1]); printf("please enter decimal integer\n"); scanf("%d", &int_input); /* getting input user */ printf("please enter string\n"); scanf("%s", user_input); /* getting string user */ /* vulnerable place */ printf(user_input); printf("\n"); /* verify whether attack successful */ printf("the original secrets: 0x%x -- 0x%x\n", secret1, secret2); printf("the new secrets: 0x%x -- 0x%x\n", secret[0], secret[1]); return 0; } i'm attempting perform format string attack on virtual machine. that, need know address secrets being stored. program tells me through output these lines
printf("the variable secret’s address 0x%8x (on stack)\n", &secret); printf("the variable secret’s value 0x%8x (on heap)\n", secret); printf("secret[0]’s address 0x%8x (on heap)\n", &secret[0]); printf("secret[1]’s address 0x%8x (on heap)\n", &secret[1]); the nature of attack requires send non-ascii hex values input 2nd scanf,so can't type input myself. have accomplished setting input using perl here,
ramtest@ramtest-virtualbox:/tmp$ perl -e 'print "5\x0a"; print "\x08\xb0\x04\x08%x.%x.%x.%x.%x.%x.%x";' > /tmp/input i run
$gdb ./vul_prog < /tmp/input i've gotten method work in environment memory randomization off, can run program once, @ memory addresses, change perl script, , run again. however, memory randomization on, can't know addresses before run it, need able see portion of program tells me addresses run before create , send input.
i've attempted in way seemed intuitive here, syntax error.
starting program: /home/ramtest/downloads/vulprog variable secret’s address 0xbfffefd8 (on stack) variable secret’s value 0x 804b008 (on heap) secret[0]’s address 0x 804b008 (on heap) secret[1]’s address 0x 804b00c (on heap) please enter decimal integer 1 please enter string breakpoint 2, 0x0804858f in main () (gdb) c > /tmp/input syntax error in expression, near `> /tmp/input'. (gdb) c < /tmp/input syntax error in expression, near `< /tmp/input'. is possible me set breakpoint in gdb right before prompted input, send /tmp/input information input somehow?
if so, how go that?
any appreciated.
just use run command. i'll demonstrate feeding /bin/cat gdb, , breaking in main(), standard input redirected:
example:
$ gdb /bin/cat gnu gdb (gdb) fedora 7.12.1-47.fc25 [ ... ] (gdb) b main breakpoint 1 @ 0x1bc0 (gdb) run </etc/issue starting program: /usr/bin/cat </etc/issue breakpoint 1, 0x0000555555555bc0 in main () (gdb) c continuing. \s kernel \r on \m (\l) [inferior 1 (process 18190) exited normally] (gdb) you should able start program under gdb, set breakpoint before scanf, run standard input redirected empty file. don't expect program attempt read standard input until then, won't see end-of-file condition on redirected standard input.
when breakpoint hits should have memory addresses, prepare payload , append zero-length file, then
c the execution, should proceed , attempt read payload that's available on standard input.
a variation of technique won't require debugger use named pipe gets opened writing, in advance, run program standard input redirected named pipe. expected result program printing memory addresses, blocking when reads pipe. @ point can prepare payload, , write pipe.
Comments
Post a Comment