pwnlib coredump example

2020-11-25 15:16:52 +00:00 · 2020-11-25 15:16:52 +00:00 · a8cbc66faf
commit a8cbc66faf
parent 49e18c82a9
3 changed files with 73 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,6 +2,7 @@
 __pycache__/
 *.py[cod]
 *$py.class
+.vscode

 # C extensions
 *.so
@ -128,5 +129,12 @@ dmypy.json
 # Pyre type checker
 .pyre/

+# vscode
+.vscode
+
 #vagrant
-.vagrant
+.vagrant
+
+# binaries
+vuln-32
+core
--- a/offset.py
+++ b/offset.py
@ -0,0 +1,27 @@
+from pwnlib.elf.corefile import Coredump
+from pwnlib.util.cyclic import cyclic, cyclic_find
+from pwnlib.util.packing import pack
+from pwnlib.tubes.process import process
+import os
+
+# TODO: command line arguments
+input_file = "input.txt"
+exec_name = "./vuln-32"
+core_file = "./core"
+
+os.remove(core_file)
+
+# TODO Loop until a crash, increase payload size each iteration
+with open(input_file, "wb") as f:
+    payload = cyclic(512)
+    f.write(payload)
+
+process([exec_name, input_file]).wait()
+
+core = Coredump('./core')
+
+assert pack(core.eip) in payload
+
+print(cyclic_find(core.eip))
+
+os.remove(input_file)
--- a/vuln.c
+++ b/vuln.c
@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+int copyData(char *string)
+{
+	char buf[32];
+	strcpy(buf, string);
+	return (0);
+}
+
+int main(int argc, char *argv[])
+{
+	char buffer[700];
+	FILE *file;
+    if (argc !=2)
+    {
+        printf("[*] invalid arguments!\n [*] > %s file_name\n",argv[0]);
+        exit(0);
+    }
+	printf("opening file\n");
+	file = fopen(argv[1],"rb");
+	if (!file)
+	{ 
+		//printf("file not opened %s", strerror(errno));
+		fprintf(stderr,"file not opened %s", strerror(errno));
+		//printf("error");
+		return (0);
+	}
+	printf("file opened\n");
+	fread(buffer, 699,1,file);
+	fclose(file);
+	copyData(buffer);
+	return (0);
+}
+		
+