14

I'm in a software security class and we are currently learning about buffer overflows and how they are exploited. I have a program that I know how to exploit, but I appear to be unable to do so because I have to write hex that it is not allowing me to write.

I need to write the data generated from:

perl -e 'print "A"x48; print "\x1b\x88\x04\x08";'

However, I cannot redirect that output into the command line arguments because the program runs interactively. Historically, I have used xclip to copy it to the clipboard and then paste it into the running application, but for some reason, this sequence of hex does not allow me to use xclip to copy it (it shows as nothing has been copied).

For example:

perl -e 'print "A"x48; print "\x1b\x88\x04\x08";' | xclip -sel clip

If I ctrl+V after that, nothing gets pasted. If I simply copy and paste the output from the terminal window, the wrong hex is pasted (I'm assuming this is because the hex isn't visible ASCII).

My question is: does GDB have some way for me to insert generated text like this into an interactive, running program?

I'm aware that if the exploitable program took command line arguments, I could do:

run $(perl -e 'print "A"x48; print "\x1b\x88\x04\x08";')

But since it doesn't run via cli arguments, this isn't usable.

Any help would be awesome!

Chris
  • 1,569
  • 2
  • 11
  • 18
  • You can redirect the standard input to read from a file or pipe. – n. m. could be an AI Mar 25 '13 at 22:50
  • How can I do that AND run GDB with breakpoints at the same time? I know I can do "perl -e ... | ./program", but that doesn't start gdb with breakpoints. "perl -e ... | gdb ./program" starts gdb, but doesn't run the program or use breakpoints. – Chris Mar 25 '13 at 23:07
  • You can enter those from the keyboard... http://superuser.com/questions/59418/how-to-type-special-characters-in-linux – Jim Black Mar 26 '13 at 03:16

1 Answers1

29

My question is: does GDB have some way for me to insert generated text like this into an interactive, running program?

Your question is based on mis-understanding: you appear to be under impression that GDB is somehow intercepting the "paste" you are performing, and not letting the characters to be read by the target program.

However, GDB is not intercepting any input, until and unless you are stopped at a breakpoint (or due to a signal). So while your program is running (and reading the input), GDB itself is blocked (in waitpid system call) waiting for something to happen.

So what prevents your program from receiving the control characters? Your terminal emulator does.

Ok, how can you arrange for the non-ASCII input? One of 3 ways (two are very similar):

  1. use input from file
  2. use input from named pipe
  3. use gdbserver

For method#1:

perl -e 'print "A"x48; print "\x1b\x88\x04\x08";' > /tmp/input
gdb ./a.out
(gdb) run < /tmp/input   # voila: GDB reads terminal,
                         # your program reads /tmp/input

Method#2:

mkfifo /tmp/pipe
perl -e 'print "A"x48; print "\x1b\x88\x04\x08";' > /tmp/pipe &
# perl will block, waiting for someone to read the pipe
gdb ./a.out
(gdb) run < /tmp/pipe

Both of the above methods will work for "normal" programs (ones that read STDIN), but will fail for programs that read terminal directly (such as sudo, passwd, gpg).

Method#3:

perl -e 'print "A"x48; print "\x1b\x88\x04\x08";' |
gdbserver :0 ./a.out  # gdbserver will print a TCP port, e.g. 4321
                      # and stop the program at start

# in another window,
gdb ./a.out
(gdb) target remote :4321
# gdb will now attach to gdbserver, you can set breakpoints and continue.
Employed Russian
  • 199,314
  • 34
  • 295
  • 362