2

I'm trying to bof a particular exploitme on DVL by redirecting input (to gets) using run < inputfile inside gdb

I can overflow the program successfully but am having trouble appending hex values to the string.. I have tried quotations, converting the value of the mem addr to ascii and various escape attempts (\,\,\) with no luck

Input file example: AAAA\x42

In the above example it would appear that the backslash is being read as an ascii char (5c) and the value 42 remains in the stack (oddly?).

How would one go about specifying a hex value inside a gdb input file?

Thanks

Skitch
  • 53
  • 1
  • 5

1 Answers1

5

Use perl! :) 

reader@hacking:~/booksrc $ ./overflow_example $(perl -e 'print "A"x30')

with the 'e' option perl will evaluate the following command, and surrounding everything will treat the output of perl as a string. So the command above is identical to:

reader@hacking:~/booksrc $ ./overflow_example AAAAAAAAAAAAAAAAAAAAAAAAA

(adding x30 after a string will repeat it 30 times). Of course perl accepts other hex values with the notation \x??. One more word, to concatenate strings use a dot:

reader@hacking:~/booksrc $ perl -e 'print "A"x20 . "BCD" . "\x61\x66\x67\x69" ;'
AAAAAAAAAAAAAAAAAAAABCDafgi

So you can redirect the output of perl in your input file or directly call perl in gdb when you run the program.

BlackBear
  • 22,411
  • 10
  • 48
  • 86
  • Hi, thanks for the reply.. However the problem i face is how to see the registers using this format. The program uses the gets function so waits for user input. i.e. ./vulnapp \n Enter name: AAAA. Is there a way to pipe the perl output into gdb not as a argument? – Skitch Feb 16 '11 at 19:00
  • @Skitch: yes, your approach was correct. pipe the perl output into a file, then pipe this file to the exploitme, it should work.. – BlackBear Feb 16 '11 at 19:07