public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "k4lizen at proton dot me" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug breakpoints/31599] New: [gdb] setting breakpoint prevents value being from written to address via read Date: Wed, 03 Apr 2024 04:58:53 +0000 [thread overview] Message-ID: <bug-31599-4717@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=31599 Bug ID: 31599 Summary: [gdb] setting breakpoint prevents value being from written to address via read Product: gdb Version: 13.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: breakpoints Assignee: unassigned at sourceware dot org Reporter: k4lizen at proton dot me Target Milestone: --- Created attachment 15449 --> https://sourceware.org/bugzilla/attachment.cgi?id=15449&action=edit the executable used to reproduce gdb version: GNU gdb (Debian 13.2-1) 13.2 OS: Linux kali 6.6.9-amd64 The binary I used to reproduced this is from a pwn challenge, so I don't have the source code. The binary is in the attachment. It is a 32-bit ELF file. What the binary does is: 1. uses `prctl` to make it so the `execve` syscall can't be called 2. `read`s at most 200 bytes from stdin, into the address 0x0804a060. this address is in a `rw-` mapping on my machine, and has the symbol "shellcode" 3. calls the address (0x0804a060) 4. segfaults, probably because the mapping thats called isn't executable The Problem: When a break point for 0x0804a060 is set (and enabled), the `read` call doesn't actually read the first byte of the input. This makes it so the byte at 0x0804a060 is null (0x00). If the breakpoint isn't created or is disabled, the `read` call properly puts the first byte of the input at 0x0804a060. The rest of the input is put in its proper place, regardless of the breakpoint. In the example below, I will set a breakpoint at 0x08048582, which is the instruction right after the `read` call. And print the first byte of 0x0804a060. The behaviour is the same regardless of the breakpoint at 0x08048582, which can be checked by stepping through instruction-by-instruction. ==================== With the 0x0804a060 (shellcode) breakpoint set. == └─$ gdb orw GNU gdb (Debian 13.2-1) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from orw... (No debugging symbols found in orw) (gdb) break *0x08048582 Breakpoint 1 at 0x8048582 (gdb) break *0x0804a060 Breakpoint 2 at 0x804a060 (gdb) r Starting program: /home/hacker/ctf/pwnabletw/orw/orw [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Give my your shellcode:AAAA Breakpoint 1, 0x08048582 in main () (gdb) x/1bx 0x804a060 0x804a060 <shellcode>: 0x00 (gdb) ========= Without setting the 0x0804a060 (shellcode) breakpoint === └─$ gdb orw GNU gdb (Debian 13.2-1) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from orw... (No debugging symbols found in orw) (gdb) break *0x08048582 Breakpoint 1 at 0x8048582 (gdb) r Starting program: /home/hacker/ctf/pwnabletw/orw/orw [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Give my your shellcode:AAAA Breakpoint 1, 0x08048582 in main () (gdb) x/1bx 0x0804a060 0x804a060 <shellcode>: 0x41 (gdb) =============== I can produce screenshots from Ghidras decompilation if necessary. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2024-04-03 4:58 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-04-03 4:58 k4lizen at proton dot me [this message] 2024-04-03 5:38 ` [Bug breakpoints/31599] " k4lizen at proton dot me 2024-04-03 18:44 ` tromey at sourceware dot org 2024-04-05 16:17 ` k4lizen at proton dot me
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-31599-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).