PEDA Patterns
In pwn problems, we often need to find the size of a buffer that we’re going to overflow. Instead of guessing the buffer offset until we reach something interesting, we can use patterns in the GDB extension PEDA. Note that the patterns given should be stripped of leading and trailing quotation marks before being used.
1 | pattern create 1035 |
To search for the pattern in the program context, you can simply run the following.
1 | pattern search |
64-bit Note
In 64-bit binaries, the binary doesn’t continue running before it segfaults - i.e. the binary segfaults right before it would have obtained an invalid $rip.
Therefore, we wouldn’t be able to use pattern seach to see where the offset is and must manually check the stack pattern bytes that would have been popped into $rip. After copying the 8 bytes that would have gone into $rip, we can use the following to see the offset.
1 | pattern offset <pattern_bytes> |
Attaching GDB to a Process
When you run a binary in GDB, the binary runs with ASLR off by default and the number of environment variables is different from if you had run the raw binary.
For this reason, it’s often more useful to attach GDB to a running process than running GDB from the start.
In one terminal, run the binary until it hits a point where the user has to enter input - otherwise the process might terminate before we even have time to attach to it.
1 | ./vuln |
In another terminal, attach with GDB like this.
1 | sudo gdb vuln `pidof vuln` |
Jumping to an Address
You can jump to a specific address at any time during a binary’s execution using GDB.
1 | jump *address |
Python Interpreter
This is a small one but easy to forget - there’s a built in Python interpreter in GDB that you can use while debugging, so you don’t have to exit GDB or open a new window! I haven’t played with it too much but it might default to Python 3 (I couldn’t import modules like pwn). However, it works in a pinch when you need to convert hex digits to integers or vice-versa.
1 | gdb-peda$ pi |