pwnlib coredump example

This commit is contained in:
Liam Dalgarno 2020-11-25 15:16:52 +00:00
parent 49e18c82a9
commit a8cbc66faf
3 changed files with 73 additions and 1 deletions

8
.gitignore vendored
View File

@ -2,6 +2,7 @@
__pycache__/ __pycache__/
*.py[cod] *.py[cod]
*$py.class *$py.class
.vscode
# C extensions # C extensions
*.so *.so
@ -128,5 +129,12 @@ dmypy.json
# Pyre type checker # Pyre type checker
.pyre/ .pyre/
# vscode
.vscode
#vagrant #vagrant
.vagrant .vagrant
# binaries
vuln-32
core

27
offset.py Normal file
View File

@ -0,0 +1,27 @@
from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack
from pwnlib.tubes.process import process
import os
# TODO: command line arguments
input_file = "input.txt"
exec_name = "./vuln-32"
core_file = "./core"
os.remove(core_file)
# TODO Loop until a crash, increase payload size each iteration
with open(input_file, "wb") as f:
payload = cyclic(512)
f.write(payload)
process([exec_name, input_file]).wait()
core = Coredump('./core')
assert pack(core.eip) in payload
print(cyclic_find(core.eip))
os.remove(input_file)

37
vuln.c Normal file
View File

@ -0,0 +1,37 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
int copyData(char *string)
{
char buf[32];
strcpy(buf, string);
return (0);
}
int main(int argc, char *argv[])
{
char buffer[700];
FILE *file;
if (argc !=2)
{
printf("[*] invalid arguments!\n [*] > %s file_name\n",argv[0]);
exit(0);
}
printf("opening file\n");
file = fopen(argv[1],"rb");
if (!file)
{
//printf("file not opened %s", strerror(errno));
fprintf(stderr,"file not opened %s", strerror(errno));
//printf("error");
return (0);
}
printf("file opened\n");
fread(buffer, 699,1,file);
fclose(file);
copyData(buffer);
return (0);
}