Muhammad Danish Muhammad Danish - 3 months ago 26
C Question

GDB Debugging: Passing arguments using IO redirection

I am learning how to exploit a buffer overflow. Below is the program I am playing with

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
char buffer[256];
printf("%p\n", buffer);
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
return 0;
}


I compile this program with:
gcc -fno-stack-protector -z execstack program.c -o program

I loaded this program in gdb:
gdb ./program

If I issue following command:
run $(python -c 'print "A" * 3000')
It will overwrite the registers as desired:

rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffd938 0x7fffffffd938
r8 0x4141414141414141 0x4141414141414141
r9 0x4141414141414141 0x4141414141414141
r10 0x4141414141414141 0x4141414141414141


.....
But if I give arguments to the program using IO redirection registers' values are not overwritten as desired.

fuzz.py

#!/usr/bin/python
print 'A' * 3000


I output all 'A's to file f using
fuzz.py > f


I run the program in gdb
gdb ./program

Now If I give a argument to program using IO redirection I get abnormal output:

run < f


I get the following error:


Stopped reason: SIGSEGV
__strcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
296 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.


Why I am getting this error
__strcpy_sse2_unaligned
while if I pass arguments using
run $(python -c 'print "A" * 3000')
I will only get SIGSEGV error which I desired.

info registers:

rbp 0x7fffffffe4f0 0x7fffffffe4f0
rsp 0x7fffffffe3d8 0x7fffffffe3d8
r8 0x0 0x0
r9 0xf 0xf
r10 0x5d 0x5d


Why are the registers not overwritten by 'A's?

Q1)
Why are passing arguments in gdb using:

run $(python -c 'print "A" * 3000')


and

run < f


not equal? f is the file which contains 3000 'A's.

Q2)
What is the meaning of this error:
__strcpy_sse2_unaligned ()

Answer

You are taking input from command line arguments, not the standard input:

strcpy(buffer, argv[1]);

So you should use:

run $(python -c 'print "A" * 3000')

The < redirection would work if you're reading from stdin, for example with scanf.

The __strcpy_sse2_unaligned SIGSEGV is caused by you trying to strcpy from uninitialized memory (argv[1], which is actually NULL since it's argv[argc] in your case). GDB then tries to find the source for that internal function, but fails.

Comments