2

I've been going through "hacking: The art of exploitation" and following the examples. On page 145, the author demonstrates how to exploit the notesearch.c program with shellcode stored in an environment variable. Erickson does this with the following:

./notesearch $(perl -e 'print "\x47\xf9\xff\xbf"x40')

On the command line, this doesn't work for me, but in GDB, typing

run $(perl -e 'print "\x47\xf9\xff\xbf"x40')

does work.

Notes: Now of course, his address above is different than my address due to protections in the CPU, but I just followed his example by running notesearch in gdb, getting the address of the shellcode in the environment variable, adding 100 to it:

(gdb) x/ s 0xbffff8e3 + 100

Of course my address is different than his above, but still, everything checked out, but it didn't work.

****BUT****

When I run his exploit code in GDB, it works fine.

run $(perl -e 'print "\x47\xf9\xff\xbf"x40')

So why would

run $(perl -e 'print "\x47\xf9\xff\xbf"x40')

work in gdb, and give me a root shell but

./notesearch $(perl -e 'print "\x47\xf9\xff\xbf"x40')

on the command line won't work? Is address randomization turned off in gdb but not in the OS? Is there a mismatch between what addresses GDB shows and what addresses the program is really running at? Thanks in advance for any guidance.

user1197457
  • 59
  • 1
  • 10
  • I guess that Address Randomization is at work here, both in GDB and in the OS. The addresses are randomized for each run of the program, thus the address in an independent run of the program won’t match the one you extracted previously using GDB. – Jonas Schäfer Jan 20 '15 at 15:22
  • Thanks Jonas, I was afraid of that. It will be a good exercise for me but for others who are struggling, it REALLY muddies the waters when a demonstrated exploit doesn't work as described particularly when a VM and code are provided. Case closed from my perspective. – user1197457 Jan 20 '15 at 16:39
  • As said, this is just a guess (which is why I provided no answer) and there might be other reasons for this behaviour. Someone with evidence and/or experience might be able to make a definitive statement on that. – Jonas Schäfer Jan 21 '15 at 10:58

1 Answers1

0

We don't need to draw on ASLR to explain why Exploit works in gdb but not on the command line. When running in GDB, the stack location is simply shifted a bit (on my system, 80 Bytes down), so the provided address 0xbffff947 needs to be adjusted to work from the shell command line. To verify this, just have a look by putting e. g.

    printf("searchstring = %p\n", searchstring);

in notesearch.c; you'll possibly see a constant address every time you run the command from the shell, and another constant address every time you run from GDB.

Armali
  • 18,255
  • 14
  • 57
  • 171