Reputation: 23911
is there any way to turn off gdb's buffer checking for input?
I am learning to cause buffer overflows for a security class using GDB. I have an input file that successfully causes a program to jump to an unauthorized function by writing a buffer overflow when I feed it as input like this:
sh myFile.txt | ./myProgram
Now I want to examine the unauthorized function using GDB. But when I feed myFile as input to GDB using the either the tty command or using < GDB only takes a middle 20-bytes of my input to fill the 20-byte buffer. It seems like GDB is "checking" the buffer size of the input.
- Is that what gdb is doing?
- If so, is there way to turn it off?
The C code looks like this:
char one[20];
char two[20];
printf("..."); fflush(stdout);
gets(one); //only takes 20 bytes from the middle of printf "morethan20bytes..." from input file
printf("..."); fflush(stdout);
gets(two); //only takes 20 bytes from the middle of printf "morethan20bytes..." from input file
Upvotes: 1
Views: 269
Answers (1)
Reputation: 104559
gdb isn't "taking" anything. It just assumes you only want to see the contents of "one" and nothing more.
Are you aware of the {type}expr@num notation for printing variables in the debugger? For example, to see the contents of "one" past the 20th index in the buffer:
(gdb) next
...10 gets(one); //only takes last 20 bytes of printf "morethan20bytes..." from input file
(gdb) next
BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH # <== simulating input
11 printf("..."); fflush(stdout);
(gdb) print one
$2 = "BLAHBLAHBLAHBLAHBLAH"
Above, it appears that "one" only has 20 chars in it. But that's because gdb is assuming you only want to see 20 bytes.
Let's now print out the first 40 characters that start at the memory address of "one"
(gdb) print {char}one@40
$3 = "BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH"
You can clearly see that it goes past the buffer length
(gdb) print two
$4 = "BLAHBLAHBLAH\000\000\000\000\000\000\000"
And you can see that the overrun wrote into into "two" as well.
(gdb) x one
0x7fffffffe750: 0x48414c42
(gdb) print {char}0x7fffffffe750@40
$6 = "BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH"
Above you can see we can do the same thing with memory addresses.
Upvotes: 2
Related Questions
- GDB: disable printing of current line after every step
- how to force gdb to stop right after the start of program execution?
- how can I make gdb ignore .gdbinit
- In GDB is there an option to stop execution when the variable of our interest is set or modified?
- GDB: Force through an if statement
- Stop GDB from stepping through glibc functions
- Preventing GDB from stepping into a function (or file)
- Can gdb's "input not from terminal" messages be suppressed?
- Is there a way to get GDB to skip/ignore an instruction?
- How to prevent gdb to stop after next command