0

I am trying to identify the offset in which a buffer overflow occurs via pwntools and gdb. Here is the C code (x64):

int input[8];
int count, num;
count = 0;
while(1)
{
        printf("Enter:\n");
        scanf("%d", &num);

        if (num == -1){
                break;
        } else {
                input[count++] = num;
        }

}

Understanding that the size of the integer is 4 bytes, I am attempting to feed the program a string of integers via pwntools (code below):

from pwn import *

context.log_level = "debug"

io = gdb.debug('_file_')


for i in range(0,10,1):
        io.clean()
        io.sendline("{:d}".format(i))


io.interactive()

However, I am having trouble finding the offset and trying to debug the program via gdb. I would like to be able to see changes to the stack as each integer is input (via ni or si). Is there a better way to identify where the program crashes?

I am using the for loop as a proxy for pattern create (with the hope to see which integer causes the crash).

Any insights would greatly be appreciated!

tbb
  • 15
  • 4
  • You can use `p` or `display /x *(unsigned long[32]*)$rsp` (or any other starting point) to dump stack contents as an array after every single-step or breakpoint. That's casting x86-64's stack pointer to a pointer-to-array and dereferencing to get an array. The number formatting isn't fixed-width so it's a bit rough in terms of seeing exactly what offset a certain thing is at, but GDB has more formatting options for array printing, like `print -array -- /x *(unsigned long[32]*)$rsp` – Peter Cordes Jan 31 '23 at 01:07
  • An `int` is 4 bytes on most targets supported by GNU tools, but `char input[8];` has 1-byte elements, so `input[count++] = num;` is storing the low 1 byte of each `int`. – Peter Cordes Jan 31 '23 at 01:11
  • @PeterCordes - For sake of additional understanding, what would change if it was int input[8] (not char as stated initially)? – tbb Jan 31 '23 at 01:20
  • Then you'd of course be storing 4 bytes per iteration. If you're not sure how C works, look at the asm it compiles to. (https://godbolt.org/z/4nYEM9Gj5 ; [How to remove "noise" from GCC/clang assembly output?](https://stackoverflow.com/q/38552116)) – Peter Cordes Jan 31 '23 at 01:34

0 Answers0