Jump to content


Photo
- - - - -

find string address in mem using gdb


  • Please log in to reply
2 replies to this topic

#1 bobo825

bobo825

    Will I break 10 posts?

  • Members
  • 2 posts

Posted 30 June 2007 - 07:55 AM

Hi
Here is my problem :
I have to exploit a simple buffer overflow on a linux box with non ex stack and with no gcc or perl installed...
In order to exploit the suid program i have to use the ret into libc trick ...i found the address of the function system and exit using gdb but i need the address of the string /bin/sh as an arg to the function system. its pretty simple when i can code a small prog in c which return me he address of an environnement variable like SHELL=/bin/sh.. But with no gcc installed i tried to do it with gdb:

<gdb> set $x = 0x etc... <---- libc base address (ldd suid prog)
<gdb> while(strcmp($x, "/bin/sh")!=0)
> set $x = $x + 1
> end

ive been waiting for a long time but it return no result..

thx you

#2 n00b

n00b

    elite

  • Members
  • 114 posts

Posted 30 June 2007 - 08:31 AM

Have a read of this it should be in there some where on haw to do this m8.Also look at the top link here very informative
nvrmm strange why don't you just install gcc m8 it would make your life alot more easyer.As you know then you could find the environment variable and display the correct adress.Also will be able to enable you to see if the address is changing.

http://www.google.co...q...earch&meta=

http://www.milw0rm.com/papers/6

Ive done this before i just cant remember haw lol was so long ago since i messed with linux.Also might be worth a look have a read of some of the paper's by Xpl017Elz.

http://x82.inetcop.o...ers/FC_exploit/

Edited by n00b, 30 June 2007 - 08:56 AM.


#3 bobo825

bobo825

    Will I break 10 posts?

  • Members
  • 2 posts

Posted 30 June 2007 - 09:09 AM

thank you for your fast answer i'll take a look at this links...




BinRev is hosted by the great people at Lunarpages!