pwnlib coredump example

.gitignore

@@ -2,6 +2,7 @@
 __pycache__/
 *.py[cod]
 *$py.class
+.vscode
 
 # C extensions
 *.so
@@ -128,5 +129,12 @@ dmypy.json
 # Pyre type checker
 .pyre/
 
+# vscode
+.vscode
+
 #vagrant
 .vagrant
+
+# binaries
+vuln-32
+core

offset.py

@@ -0,0 +1,27 @@
+from pwnlib.elf.corefile import Coredump
+from pwnlib.util.cyclic import cyclic, cyclic_find
+from pwnlib.util.packing import pack
+from pwnlib.tubes.process import process
+import os
+
+# TODO: command line arguments
+input_file = "input.txt"
+exec_name = "./vuln-32"
+core_file = "./core"
+
+os.remove(core_file)
+
+# TODO Loop until a crash, increase payload size each iteration
+with open(input_file, "wb") as f:
+    payload = cyclic(512)
+    f.write(payload)
+
+process([exec_name, input_file]).wait()
+
+core = Coredump('./core')
+
+assert pack(core.eip) in payload
+
+print(cyclic_find(core.eip))
+
+os.remove(input_file)

vuln.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+int copyData(char *string)
+{
+	char buf[32];
+	strcpy(buf, string);
+	return (0);
+}
+
+int main(int argc, char *argv[])
+{
+	char buffer[700];
+	FILE *file;
+    if (argc !=2)
+    {
+        printf("[*] invalid arguments!\n [*] > %s file_name\n",argv[0]);
+        exit(0);
+    }
+	printf("opening file\n");
+	file = fopen(argv[1],"rb");
+	if (!file)
+	{ 
+		//printf("file not opened %s", strerror(errno));
+		fprintf(stderr,"file not opened %s", strerror(errno));
+		//printf("error");
+		return (0);
+	}
+	printf("file opened\n");
+	fread(buffer, 699,1,file);
+	fclose(file);
+	copyData(buffer);
+	return (0);
+}
+		
+