Basically I have:
#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[100];
strcpy(buf, argv[1]);
printf("Buf congains: %s\n", buf);
return 0;
}
As far as I have debugged it, Below is what happening:
executing shell:
run `perl -e 'print "A"x100'`
argv[1]
to $rbpstrcpy()
copy argv[1] from $rbp to $rsp/buf
Stack print while breakpoint on line printf()
Breakpoint 1, main (argc=2, argv=0x7fffffffebd8) at main.c:7
7 printf("Buf congains: %s\n", buf);
(gdb) x/50x $rsp
0x7fffffffea70: 0xffffebd8 0x00007fff 0x00400372 0x00000002
0x7fffffffea80: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffea90: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffeaa0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffeab0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffeac0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffead0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffeae0: 0x41414141 0x00007f00 0x79529b00 0x7349452f
0x7fffffffeaf0: 0x00000000 0x00000000 0xf7a35ec5 0x00007fff
0x7fffffffeb00: 0x00000000 0x00000000 0xffffebd8 0x00007fff
0x7fffffffeb10: 0x00000000 0x00000002 0x004005f6 0x00000000
0x7fffffffeb20: 0x00000000 0x00000000 0xd23fb797 0xacdf42c3
0x7fffffffeb30: 0x00400500 0x00000000
Question: Basically what I want is to modify data of a different memory location and point the buf
to that location.
for example modify 0x7fffffffeb20
in $rsp using set {char[5]}0x7fffffffeb20 = "BCDE"
and then set the data of 0x7fffffffeab0
to point to 0x7fffffffeb20
so when $rip is executing 0x7fffffffeab0
address, it should point to read extra data from 0x7fffffffeb20
.
Thanks in advance :)
buf
is not a variable, so you can't change it dynamically. If you want to be able to change the address, add a pointer variable.
#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[100];
char *bufp = buf;
strcpy(buf, argv[1]);
printf("Buf contains: %s\n", bufp);
return 0;
}
Then you can change the value of bufp
after strcpy()
and it will use that.
(gdb) set variable bufp = 0x7fffffffeb20;
BTW, you're causing a buffer overflow with your 100 A's. buf[100]
only has room for 100 characters, but you need buf[101]
to allow room for the 100 letters and the trailing null byte. So the strcpy()
results in undefined behavior.
If you're studying buffer overflows and shellcode, this may be intentional, but otherwise you should fix it.
User contributions licensed under CC BY-SA 3.0