97

I typically run my program with:

perl -e 'print "A"x200' | ./vuln_prog

The stdin is consumed by a gets() function in C++.

If this were just a command argument, I could open gdb by doing:

gdb ./vuln_prog
run $(perl -e 'print "A"x200')

However, my scenario is not a command argument, but rather input (STDIN?). How would I debug this in gdb? I've tried a bunch of options, but nothing seems to really work.

I would normally just run gdb on the process, and when it prompts for user input, type it in, however I'm not wanting to type just "A". I want to type all chars from \x00-\xff, which I can't type.

Ciro Santilli OurBigBook.com
  • 347,512
  • 102
  • 1,199
  • 985
mandreko
  • 1,766
  • 2
  • 12
  • 24
  • Why are you using `gets`? I mean sometimes it's acceptable (like if you're just writing a quick program to test something, or if the program will only be run with trusted input) but I'm curious. – flarn2006 Sep 19 '16 at 22:33
  • It was not my code. It was for a fun reverse engineering challenge, where the code was provided. – mandreko Sep 20 '16 at 12:28
  • Oh okay. Was `gets` intentionally used *because* it was vulnerable, like as part of a possible solution to the challenge? – flarn2006 Sep 21 '16 at 02:38
  • @flarn2006 Indeed it was the vulnerable function. I was able to do a buffer overflow due to it not bound-checking. – mandreko Sep 21 '16 at 14:02
  • 7
    `r < <(perl -e 'print "A"x200')` (as the question is closed, not as answer) – thejonny May 06 '19 at 20:07

1 Answers1

124
gdb ./vuln_prog
run < filename_with_input
zed_0xff
  • 32,417
  • 7
  • 53
  • 72
  • Thank you SO much. I was trying to run the input directly, where I should have thought to just print the perl code to a file, and input it. That worked marvelously. – mandreko Dec 07 '11 at 20:57
  • 2
    Does the have a `lldb` equivalent? – Thomas Ahle Jan 03 '16 at 20:57
  • 2
    @ThomasAhle For lldb equivalent http://stackoverflow.com/questions/29861242/cannot-get-mac-os-x-lldb-process-to-read-the-stdin – jernkuan Jul 18 '16 at 10:20
  • 1
    What if I need to run a command as an input? Like `cat file.bz2 | bunzip2 | myProgramThatNeedsDebugging` ? – iAdjunct May 10 '18 at 14:10
  • @iAdjunct, in that case do "bunzip2 < file.bz2 > filename_with_input" before running gdb. – j13r May 31 '18 at 01:40
  • @j13r Ha, sorry, I'm good at finding ridiculous cases. My bzip'd file is ~500MB and, unzipped, it's roughly 80GB (file paths, lots and lots of file paths). I can't store them unzipped. – iAdjunct May 31 '18 at 03:18
  • 2
    @iAdjunct I saw in another question that you can use the bash syntax, i.e., "run < <(bunzip file.bz2)" – j13r May 31 '18 at 16:50
  • 8
    is there any way to pipe without writing to file? – Shinlos Apr 22 '19 at 17:58
  • 3
    @Shinlos I'm still trying to figure out how this syntax works, but I believe, `run < <(python3 ~/exploit.py)` will work if you're trying to pipe in the output of exploit.py into the program you're currently stepping in gdb. – Josh Desmond Apr 02 '20 at 18:27
  • @JoshDesmond it does indeed work this way, I just had to change it to `run < <("\`python -c '(script)'\`")` – diego92sigma6 Sep 13 '21 at 21:02