[SOLVED] Trying to induce buffer overflow with GDB, but Python wants to shove a newline on the end of RIP
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Trying to induce buffer overflow with GDB, but Python wants to shove a newline on the end of RIP
I'm near my wits' end with this program, which accepts a small 32-character array meant to educate users on simple buffer overflows. I don't have the source code but I know it uses printf and puts (thanks to objdump) to print an array 32 characters in length because "sub" calls in assembly language make room with the program stack for an argument of 32 characters like so:
Code:
sub rsp,0x20
And also, because input any longer starts to return garbage characters to terminal. I've overwritten $rbp with an extra 8 bytes, and I'm trying to overwrite the instruction pointer as well. However, *each and every time* I try, with something like:
I can overwrite $rip with letters, numbers, an address, nothing matters. It'll always, ALWAYS return that 0a, so basically the above will look like 0x00000a43424242. I did some digging around to find that the 0a is a newline. Also, in GDB-peda the $rip row for something like the above will contain ('BBBBC\n') and if I try to overwrite the newline with an extra byte I'm doing it wrong because $rip will return to 0x400771 - the address of main() in this program.
Now for what I've tried to do to get rid of the newline. I've fed Python, Perl and Ruby script into the working terminal. I've used flush commands and unbuffer. I've tried sys.stdout.write("") instead of print("") for Python. I've tried the .chomp() function in Perl. I've set hot file handles. I've even used different versions of GDB on different computers, thinking it was an encoding issue.
Nothing is working and I'm ready to give up, so, any ideas?
Last edited by RickDeckard; 08-21-2019 at 08:00 PM.
Reason: added examples of commands I've already tried in the debugger
Thank you for the idea Sefyir, I must admit it's not one I had thought of to begin with nor even knew existed. However, it didn't help. But what did was using the printf command from terminal, so now I end up with:
At least I can say I'm getting somewhere All I need to do now is turn this detection off or do the exercise from my other computer. Making Python work from GDB without newlines would just be icing on the cake at this point.
<<< acts like a single line HERE document. That is what is adding the \n
Code:
$ od -tx1c <<< "wibble"
0000000 77 69 62 62 6c 65 0a
w i b b l e \n
0000007
$ od -tx1c < <( printf "wibble" )
0000000 77 69 62 62 6c 65
w i b b l e
0000006
$
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.