漏洞利用可在gdb中使用，但不能在命令行上使用

Question

I've been going through "hacking: The art of exploitation" and following the examples. On page 145, the author demonstrates how to exploit the notesearch.c program with shellcode stored in an environment variable. Erickson does this with the following:

./notesearch $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')

On the command line, this doesn't work for me, but in GDB, typing

run $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')

does work.

Notes: Now of course, his address above is different than my address due to protections in the CPU, but I just followed his example by running notesearch in gdb, getting the address of the shellcode in the environment variable, adding 100 to it:

(gdb) x/ s 0xbffff8e3 + 100

Of course my address is different than his above, but still, everything checked out, but it didn't work.

****BUT****

When I run his exploit code in GDB, it works fine.

run $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')

So why would

run $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')

work in gdb, and give me a root shell but

./notesearch $(perl -e 'print "\\x47\\xf9\\xff\\xbf"x40')

on the command line won't work? Is address randomization turned off in gdb but not in the OS? Is there a mismatch between what addresses GDB shows and what addresses the program is really running at? Thanks in advance for any guidance.

Answer 1

We don't need to draw on ASLR to explain why Exploit works in gdb but not on the command line . When running in GDB, the stack location is simply shifted a bit (on my system, 80 Bytes down), so the provided address 0xbffff947 needs to be adjusted to work from the shell command line. To verify this, just have a look by putting eg

    printf("searchstring = %p\n", searchstring);

in notesearch.c ; you'll possibly see a constant address every time you run the command from the shell, and another constant address every time you run from GDB.