6

I am trying to exploit a buffer overflow in a challenge, the buffer gets it's value from an environment variable. In GDB I know that you can set environment variables using the command:

set environment username = test

However I need to pass the username variable special characters, so I need to do something like:

set environment username= $(echo -e '\xff\x4c......')

But that command doesn't get executed and the username variable contains literally what I wrote down, does anybody know a trick to pass special characters to an environment variable?

Improve this question
1

2 Answers 2

Reset to default
6

Well, if you really need to do it from GDB, here is one example:

hello.c

#include <stdlib.h>
#include <stdio.h>

int main(int argc, char** argv) {
    printf("argv[1]=%s\n", argv[1]);
    printf("VAR=%s\n", getenv("VAR"));
    return 0;
}

Example:

$ gcc -g -o hello hello.c
$ gdb ./hello
...
(gdb) set exec-wrapper bash -c 'exec env VAR="`echo myEnv`" "$@"' --
(gdb) r myArg
...
argv[1]=myArg
VAR=myEnv

Change VAR and echo myEnv to a variable and command you need.

But note that setting VAR from shell before starting GDB also works:

$ VAR=`echo Hey there` gdb ./hello
...
(gdb) r myArg
...
argv[1]=myArg
VAR=Hey there
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Why do you introduce an extra bash process? set exec-wrapper env VAR="`echo myEnv`" should suffice.
1

When starting gdb from shell command-line, you can specify which program to run, with which arguments (with --args), and even modify the environment of the program with the help of env!

I just did it successfully like this:

gdb --ex=run --args env LD_BIND=now LD_DEBUG=libs \
apt-get install --yes $(cat pkgs-to-install-to-crash-apt)

--ex=run is to ask gdb to run it immediately.

Improve this answer

1 Comment

In this case gdb first starts env, which exec's apt-get. If you set a breakpoint on main (or use start) and env has the main symbol, it will stop in env, not in apt-get. More details here.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.