8

If any of you are familiar with the basics of exploit development, you know that when you exploit a potential buffer overflow, normally to find the offset of your buffer that "clobbered" a specific register you want to modify, you send an input like this:

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag

and then by using a debugger and passing the value found overflowing into the desired buffer location into a tool, you'll get the offset to know where to begin inserting your payload.

With pwntools, which only supports ELF files, this can be automated, skipping that debugger step neatly with cyclic(200, n=8) and cyclic_find(core.read(core.rsp, 8), n=8). Here is a full example:

from pwn import *

elf = ELF("./exploit_this") # reminds the user that only ELFs are supported

p = process("./exploit_this")
p.sendline(cyclic(200, n=8))
p.wait()

core = p.corefile

print(cyclic_find(core.read(core.rsp, 8), n=8))

However, I can't, at least with pwntools, get the corefile for a PE file. Is there any alternate way to do it in Python? Note that I'm not asking for a way as abstracted as with pwntools, even just getting the corefile within Python would be what I need. I can write the cyclic functions myself no problem.

J.Todd
  • 707
  • 1
  • 12
  • 34
  • As a side-note, I have asked the contributors on `pwntools` about what challenge, if any, stands in the way of Windows PE support, haven't gotten an answer yet, although I suspect it has something to do with Windows possibly having a less transparent approach to handling crashes or something. But I know we obviously *can* dump and access a core file in Windows since I can open a debugger and do it. [Relevant GitHub issue.](https://github.com/Gallopsled/pwntools/issues/1987) Perhaps the answer to this question would help me make a contribution. – J.Todd Oct 27 '21 at 12:49

0 Answers0