LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 08-21-2019, 05:09 PM   #1
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Rep: Reputation: Disabled
Trying to induce buffer overflow with GDB, but Python wants to shove a newline on the end of RIP


I'm near my wits' end with this program, which accepts a small 32-character array meant to educate users on simple buffer overflows. I don't have the source code but I know it uses printf and puts (thanks to objdump) to print an array 32 characters in length because "sub" calls in assembly language make room with the program stack for an argument of 32 characters like so:

Code:
sub rsp,0x20
And also, because input any longer starts to return garbage characters to terminal. I've overwritten $rbp with an extra 8 bytes, and I'm trying to overwrite the instruction pointer as well. However, *each and every time* I try, with something like:

Code:
gdb> r <<< $(python -c 'print "A"*32 + "B"*8 + "\x42\x42\x42\x42\x43"')
GDB tells me that $rip is the following:

Code:
0x00000a...
I can overwrite $rip with letters, numbers, an address, nothing matters. It'll always, ALWAYS return that 0a, so basically the above will look like 0x00000a43424242. I did some digging around to find that the 0a is a newline. Also, in GDB-peda the $rip row for something like the above will contain ('BBBBC\n') and if I try to overwrite the newline with an extra byte I'm doing it wrong because $rip will return to 0x400771 - the address of main() in this program.

Now for what I've tried to do to get rid of the newline. I've fed Python, Perl and Ruby script into the working terminal. I've used flush commands and unbuffer. I've tried sys.stdout.write("") instead of print("") for Python. I've tried the .chomp() function in Perl. I've set hot file handles. I've even used different versions of GDB on different computers, thinking it was an encoding issue.

Nothing is working and I'm ready to give up, so, any ideas?

Last edited by RickDeckard; 08-21-2019 at 08:00 PM. Reason: added examples of commands I've already tried in the debugger
 
Old 08-21-2019, 08:41 PM   #2
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 604

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Not sure about gdb,

In python3 you can specify the end character which defaults to '\n'

Code:
print("1")
print("2", end="")
print("3")
Code:
1
23
Code:
python -c 'print("example", end="")'
I'm not sure if you can do that with python2 print
but you should be able to import the functionality of python3 print

Code:
from __future__ import print_function
 
Old 08-21-2019, 11:17 PM   #3
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Original Poster
Rep: Reputation: Disabled
Thank you for the idea Sefyir, I must admit it's not one I had thought of to begin with nor even knew existed. However, it didn't help. But what did was using the printf command from terminal, so now I end up with:

Code:
ryan@kali: ~/code$ printf "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\x90\xe1\xff\xff\xff\x7f" | test
*** stack smashing detected ***: <unknown> terminated 
Aborted
At least I can say I'm getting somewhere All I need to do now is turn this detection off or do the exercise from my other computer. Making Python work from GDB without newlines would just be icing on the cake at this point.
 
Old 08-21-2019, 11:20 PM   #4
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 3,864

Rep: Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348
You could use a static file, e.g.:
Code:
printf "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\x90\xe1\xff\xff\xff\x7f" >test.inp
gdb
...
run <test.inp
 
Old 08-22-2019, 12:08 AM   #5
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 604

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Strange, I'm not sure what includes a newline

Using process substitution and cat, we can demonstrate the insertion of a newline and lack thereof.

Code:
       -E, --show-ends
              display $ at end of each line

cat -E <(python -c 'print("example")')
example$
Code:
cat -E <(python -c 'print("example", end="")')
example

Since you're using bash anyways, try piping it through tr?

Code:
tr -d "\n"
 
Old 08-22-2019, 02:13 AM   #6
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 9,160

Rep: Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993Reputation: 3993
If you just want to to know how to write to standard output in Python without outputting a newline, the answer is sys.stdout.write.
 
Old 08-22-2019, 11:06 AM   #7
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by dugan View Post
If you just want to to know how to write to standard output in Python without outputting a newline, the answer is sys.stdout.write.
I had already tried that.
 
Old 08-22-2019, 11:18 AM   #8
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 3,864

Rep: Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348
Obviously, as it is the shell that appends a newline in this context.
 
Old 08-22-2019, 12:05 PM   #9
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 604

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
I'm not sure the shell appends a newline..

Code:
$ python -c 'print("test", end="")'
test$
Similar behavior to echo -n "test"

If there was a newline being appended by the shell, shouldn't this result in it looking like:

Code:
$ python -c 'print("test", end="")'
test
$

Quote:
0x00000a43424242
It would seems that a newline is prepended rather then appended.

Last edited by Sefyir; 08-22-2019 at 12:11 PM.
 
Old 08-22-2019, 12:49 PM   #10
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 3,864

Rep: Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348Reputation: 1348
Sorry, I mean shell appends a new-line (if there is none) in this context:
Code:
$ xxd <<< $(printf 'No newline')
0000000: 4e6f 206e 6577 6c69 6e65 0a              No newline.

$ xxd <<< $(printf 'Do Newline\n')
0000000: 446f 204e 6577 6c69 6e65 0a              Do Newline.
Both lines are NL-terminated; in the first case the NL is appended by the shell.
 
Old 08-22-2019, 01:32 PM   #11
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,193
Blog Entries: 18

Rep: Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914
<<< acts like a single line HERE document. That is what is adding the \n

Code:
$ od -tx1c <<< "wibble"
0000000  77  69  62  62  6c  65  0a
          w   i   b   b   l   e  \n
0000007
$ od -tx1c < <( printf "wibble" )
0000000  77  69  62  62  6c  65
          w   i   b   b   l   e
0000006
$
 
4 members found this post helpful.
Old 08-22-2019, 03:05 PM   #12
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by GazL View Post
<<< acts like a single line HERE document. That is what is adding the \n
I tried it your way and it was the only thing that worked. Thanks so much, you rock!
 
  


Reply

Tags
gdb


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
match newline, space, newline vincix Programming 13 03-09-2017 03:14 PM
looking to induce high i/o read/wait for testing gargunkle Linux - Software 1 11-29-2011 08:28 PM
[SOLVED] How to replace newline pattern in file by other newline pattern in a shell script XXLRay Linux - Software 9 11-29-2010 07:57 AM
VI replacement: newline for newline not working! jhwilliams Linux - Software 3 08-16-2007 06:11 PM
buffer overflow, finding return address using gdb true_atlantis Linux - Security 9 10-31-2004 05:46 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 04:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration