2

I am having trouble solving a challenge that requires using a buffer overflow to overwrite the return address and call another function that gives a shell. The program prompts the user for input, which can be used to overflow the buffer.

I can manually overwrite the address in gdb and get the shell, however, when I attempt to input data to the program through a file, using "run < input.txt" (still in gdb) it doesn't work - I just get a segfault. Even when the memory layout after inputting the data looks exactly the same and stepping through the program does correctly return to and execute the "give_shell()" function.

Even if I only input a single character using the input file and then manually overwrite the return address it does not work. The only way I can get the shell is to enter input manually, break, overwrite the return address, and then continue.

Does anyone have any idea why the execution would be different when I manually enter the input to the program vs. sending input through a file within gdb?

Thanks.

brad
  • 31
  • 3

1 Answers1

1

I finally figured out what the problem was with the help of perror1. Since the execution appeared to be following the correct path when I specified the input through a file, I guessed that maybe the shell was running, but was being closed automatically. The referenced answer had a section called "Keep the stdin open after injection", which pointed me in the right direction and confirmed that the shell was indeed running.

I was able to get the shell by specifying the input like this: (cat input.txt; cat) | ./program

brad
  • 31
  • 3