5

Pasting Shellcode in GDB using Python

 3 years ago
source link: https://parsiya.net/blog/2014-05-25-pasting-shellcode-in-gdb-using-python/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

May 25, 2014 - 2 minute read - Comments - Python

Pasting Shellcode in GDB using Python

A few days ago I was trying to write an exploit for a buffer overflow with GDB. This was a console application and pasting shellcode would mess with it.

There are a few options:

  • Writing shellcode to a file and then using it as input for GDB.

    # you can also include GDB commands like setting up breakpoints (e.g. b * 0xDEADBEEF)
# remember to include a new line after each command
$ python -c 'print "b * 0xDEADBEEF" + "\n" + "\x41"*1000 + "\n"' > input

# $ perl -e for perl

# start debugging with GDB
# -q (quiet mode): no text at startup
$ gdb executable1 -q
(gdb) run < input

After this you can manually debug in GDB.

  • Writing a Python script for interactive debugging When I wrote this, I thought it was a clever idea but then someone told me I could have written a GDB script. However, I have already written this snippet so here it goes.

    #!/usr/bin/python

from subprocess import Popen , PIPE
from time import sleep

# shellcode
shellcode = "\x41" * 1000 + "\n"

# opens gdb with parameter executable
# you can also manage stdout and stderr here
proc = Popen( ['gdb' , 'executable'] , bufsize=1 ,stdin=PIPE )

# sample breakpoint
# notice the new line after each command
proc.stdin.write('b *DEADBEEF\n')

# half a second of sleep after each command
sleep(0.5)

# r or run to start debugging the program with GDB
proc.stdin.write('r\n')
sleep(0.5)

# any other commands go here

# this is a loop, will get every command and pass it to GDB
# "leave" == quit GDB and terminate process
# "dump"  == paste shellcode
while True:
mycommand = raw_input()
if (mycommand == "leave"):
    # quit gdb
    proc.stdin.write("quit\n")
    break

# paste shellcode
if (mycommand == "dump"):
    proc.stdin.write(shellcode)
# more custom commands go here

# not a custom command? send it as-is
else:
    mycommand = mycommand + '\n'
    proc.stdin.write(mycommand)
    sleep(0.5)

# close our pipe
proc.stdin.close()

I think that this code can be modified and become a very simple fuzzer. We have control over stdin and can read stdout and stderr. Change input, record output, rinse and repeat.

subprocess is a very powerful module. For example to normally run an application with an argument we can write subprocess.call(['gdb','executable']) .

but let's say we want to run executable with input (containing shellcode):

import subprocess

shellcode = "\x41" * 100

subprocess.call( ['gdb' , 'executable'] , shellcode)

Posted by Parsia May 25, 2014 Tags: Python Shellcode Interactive Debugging

Amazon S3 and CSS Piping SSL/TLS Traffic from SoapUI to Burp


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK