CODEWITHSUNDEEP
debuggingassemblygdbbuffer-overflowpwntools
tbb
tbb

Reputation: 25

How do I enable GDB/GEF to allow me to see how stack changes as I insert discrete input?

I am trying to identify the offset in which a buffer overflow occurs via pwntools and gdb. Here is the C code (x64):

int input[8];
int count, num;
count = 0;
while(1)
{
        printf("Enter:\n");
        scanf("%d", &num);

        if (num == -1){
                break;
        } else {
                input[count++] = num;
        }

}

Understanding that the size of the integer is 4 bytes, I am attempting to feed the program a string of integers via pwntools (code below):

from pwn import *

context.log_level = "debug"

io = gdb.debug('_file_')


for i in range(0,10,1):
        io.clean()
        io.sendline("{:d}".format(i))


io.interactive()

However, I am having trouble finding the offset and trying to debug the program via gdb. I would like to be able to see changes to the stack as each integer is input (via ni or si). Is there a better way to identify where the program crashes?

I am using the for loop as a proxy for pattern create (with the hope to see which integer causes the crash).

Any insights would greatly be appreciated!

Upvotes: 1

Views: 876

Answers (1)

Incursio_02
Incursio_02

Reputation: 110

You can use cyclic pattern which comes with pwntools. Just type

cyclic n

Where n is the number of bytes of cyclic pattern you want to generate. Run the program in gdb and provide cyclic pattern as input, when the program crashes check

  • If it is a 32 bit binary, check the first 4 bytes in eip
  • If it is a 64 bit binary, check the first 4 bytes in rsp

This will be our offset. Now run

cyclic -l offset_found

This tells us the offset to reach the instruction pointer register, say the output of the command is 104, that means the next 4 bytes(in a 32 bit binary) or the next 8 bytes (in a 64 bit binary) after 104 bytes will overwrite the instruction pointer.

Upvotes: 0

Related Questions