Muhammad Danish Muhammad Danish - 1 year ago 148
C Question

GDB Debugging: Passing arguments using IO redirection

I am learning how to exploit a buffer overflow. Below is the program I am playing with

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
char buffer[256];
printf("%p\n", buffer);
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
return 0;

I compile this program with:
gcc -fno-stack-protector -z execstack program.c -o program

I loaded this program in gdb:
gdb ./program

If I issue following command:
run $(python -c 'print "A" * 3000')
It will overwrite the registers as desired:

rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffd938 0x7fffffffd938
r8 0x4141414141414141 0x4141414141414141
r9 0x4141414141414141 0x4141414141414141
r10 0x4141414141414141 0x4141414141414141

But if I give arguments to the program using IO redirection registers' values are not overwritten as desired.

print 'A' * 3000

I output all 'A's to file f using > f

I run the program in gdb
gdb ./program

Now If I give a argument to program using IO redirection I get abnormal output:

run < f

I get the following error:

Stopped reason: SIGSEGV
__strcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
296 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.

Why I am getting this error
while if I pass arguments using
run $(python -c 'print "A" * 3000')
I will only get SIGSEGV error which I desired.

info registers:

rbp 0x7fffffffe4f0 0x7fffffffe4f0
rsp 0x7fffffffe3d8 0x7fffffffe3d8
r8 0x0 0x0
r9 0xf 0xf
r10 0x5d 0x5d

Why are the registers not overwritten by 'A's?

Why are passing arguments in gdb using:

run $(python -c 'print "A" * 3000')


run < f

not equal? f is the file which contains 3000 'A's.

What is the meaning of this error:
__strcpy_sse2_unaligned ()

Answer Source

You are taking input from command line arguments, not the standard input:

strcpy(buffer, argv[1]);

So you should use:

run $(python -c 'print "A" * 3000')

The < redirection would work if you're reading from stdin, for example with scanf.

The __strcpy_sse2_unaligned SIGSEGV is caused by you trying to strcpy from uninitialized memory (argv[1], which is actually NULL since it's argv[argc] in your case). GDB then tries to find the source for that internal function, but fails.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download