6

I am learning about buffer overflows and I’m developing my very first exploit.

There is a server process that listens to a socket and forks a new process for each client. The child process has a buffer overflow vulnerability which I’m exploiting.

My exploit works if I start the server using gdb, however I get a segfault when the exploit code is run if I simply start the server with no gdb.

My question is - does gdb automatically deactivate some protection mechanisms, like aslr/stack protection etc? What would be a possible explanation of this behaviour?

I have compiled the server with -zexecstack -fno-stack-protector , I still can’t exploit it without gdb.

This is on debian x86. By running the server with gdb I mean I run ‚gdb server‘ and then just type ‚run‘ in the gdb console, no breakpoints or anything else. This way my exploit is successful (makes a curl request to my server)

Andrei Socaciu
  • 255
  • 1
  • 5
  • 3
    Stack frame address during debugging may be different from address during normal execution: http://stackoverflow.com/a/17775966 – Michal K Dec 25 '15 at 22:37
  • @MichalK yes that seems to be the case, thanks for the hint! Indeed the return address is different if I start with gdb or if I attach gdb at a later point. The return address I obtain when attaching gdb after start is the one that works if I leave gdb completely out. Please make this an answer instead of a comment so that I can accept it. – Andrei Socaciu Dec 26 '15 at 20:05

2 Answers2

1

GDB uses a debugging hooks + it's intended to use a debug symbols and handle them, and it alters actual behaviour. So - it's clear that some artifacts will show up for sure

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11
0

Per codeblog:

Starting with GDB version 7, first appearing in Ubuntu with Karmic (Ubuntu 9.10), ASLR is turned off (via the ADDR_NO_RANDOMIZE personality flag) for the debugged process. If you want a more realistic view of how a process will appear in memory, you must “set disable-randomization off” in gdb.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55