Wednesday, October 5, 2011

GDB error != runtime error

While trying to develop an exploit recently, I ran into a 'fun' issue with GDB: lies. See, while working on a ROP buffer I had been stepping through with GDB to ensure everything was lined up properly. At the very last step of the exploit, the one before actually calling my shellcode, I kept running into the same error:

(gdb) msi
0x0804a92e in <....... removed .......>
=> 0x804a92e <....... removed .......>    ret   
(gdb)
Cannot access memory at address 0x5f
(gdb)

After double-checking the exploit payload, the registers, re-adjusting values, etc I still saw the same error. Finally out of frustration, I told GDB to continue just so the application would crash. To my surprise, the crash never happened and my shellcode executed! Wait! What? I thought we had a memory access problem. Turns out, that error was from GDB trying to read the current application location by referencing EBP, which had just been trashed with the value 0x5f. Next time, need to pay attention that no SIGNAL had been received by GDB. Or, maybe GDB could have been nicer to state that why/what it was accessing 0x5f.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)