How to redirect to a different location using GDB?

0

Basically I have:

#include <stdio.h>

int main(int argc, char *argv[])
{
    char buf[100];
    strcpy(buf, argv[1]);
    printf("Buf congains: %s\n", buf);
    return 0;
}

As far as I have debugged it, Below is what happening:

executing shell:

run `perl -e 'print "A"x100'`
  1. Copy argv[1] to $rbp
  2. after executing strcpy() copy argv[1] from $rbp to $rsp/buf
  3. print data from $rsp

Stack print while breakpoint on line printf()

Breakpoint 1, main (argc=2, argv=0x7fffffffebd8) at main.c:7                                                         
7           printf("Buf congains: %s\n", buf);                                                                       
(gdb) x/50x $rsp                                                                                                     
0x7fffffffea70: 0xffffebd8      0x00007fff      0x00400372      0x00000002                                           
0x7fffffffea80: 0x41414141      0x41414141      0x41414141      0x41414141                                           
0x7fffffffea90: 0x41414141      0x41414141      0x41414141      0x41414141                                           
0x7fffffffeaa0: 0x41414141      0x41414141      0x41414141      0x41414141                                           
0x7fffffffeab0: 0x41414141      0x41414141      0x41414141      0x41414141                                           
0x7fffffffeac0: 0x41414141      0x41414141      0x41414141      0x41414141                                           
0x7fffffffead0: 0x41414141      0x41414141      0x41414141      0x41414141                                           
0x7fffffffeae0: 0x41414141      0x00007f00      0x79529b00      0x7349452f                                           
0x7fffffffeaf0: 0x00000000      0x00000000      0xf7a35ec5      0x00007fff                                           
0x7fffffffeb00: 0x00000000      0x00000000      0xffffebd8      0x00007fff                                           
0x7fffffffeb10: 0x00000000      0x00000002      0x004005f6      0x00000000                                           
0x7fffffffeb20: 0x00000000      0x00000000      0xd23fb797      0xacdf42c3                                           
0x7fffffffeb30: 0x00400500      0x00000000

Question: Basically what I want is to modify data of a different memory location and point the buf to that location.

for example modify 0x7fffffffeb20 in $rsp using set {char[5]}0x7fffffffeb20 = "BCDE" and then set the data of 0x7fffffffeab0 to point to 0x7fffffffeb20 so when $rip is executing 0x7fffffffeab0 address, it should point to read extra data from 0x7fffffffeb20.

Thanks in advance :)

c
debugging
gdb
asked on Stack Overflow Sep 4, 2018 by asdfasdfasdf • edited Sep 5, 2018 by Barmar

1 Answer

1

buf is not a variable, so you can't change it dynamically. If you want to be able to change the address, add a pointer variable.

#include <stdio.h>

int main(int argc, char *argv[])
{
    char buf[100];
    char *bufp = buf;
    strcpy(buf, argv[1]);
    printf("Buf contains: %s\n", bufp);
    return 0;
}

Then you can change the value of bufp after strcpy() and it will use that.

(gdb) set variable bufp = 0x7fffffffeb20;

BTW, you're causing a buffer overflow with your 100 A's. buf[100] only has room for 100 characters, but you need buf[101] to allow room for the 100 letters and the trailing null byte. So the strcpy() results in undefined behavior.

If you're studying buffer overflows and shellcode, this may be intentional, but otherwise you should fix it.

answered on Stack Overflow Sep 4, 2018 by Barmar • edited Sep 5, 2018 by Barmar

User contributions licensed under CC BY-SA 3.0