If any of you are familiar with the basics of exploit development, you know that when you exploit a potential buffer overflow, normally to find the offset of your buffer that "clobbered" a specific register you want to modify, you send an input like this:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag
and then by using a debugger and passing the value found overflowing into the desired buffer location into a tool, you'll get the offset to know where to begin inserting your payload.
With pwntools, which only supports ELF files, this can be automated, skipping that debugger step neatly with cyclic(200, n=8) and cyclic_find(core.read(core.rsp, 8), n=8). Here is a full example:
from pwn import *
elf = ELF("./exploit_this") # reminds the user that only ELFs are supported
p = process("./exploit_this")
p.sendline(cyclic(200, n=8))
p.wait()
core = p.corefile
print(cyclic_find(core.read(core.rsp, 8), n=8))
However, I can't, at least with pwntools, get the corefile for a PE file. Is there any alternate way to do it in Python? Note that I'm not asking for a way as abstracted as with pwntools, even just getting the corefile within Python would be what I need. I can write the cyclic functions myself no problem.
from How can I get a corefile for a PE in Python like I can with pwntools for an ELF?
No comments:
Post a Comment