pwntools
pwntools copied to clipboard
Gallopsled
Bug-Report[FmtStr]list index out of range
Traceback (most recent call last):
File "~/pwn/main.py", line 24, in <module>
auto = FmtStr(exec_fmt)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 844, in __init__
self.offset, self.padlen = self.find_offset()
File "/usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 863, in find_offset
leak = self.leak_stack(off, marker)
File "/usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 854, in leak_stack
leak = re.findall(br"START(.*?)END", leak, re.MULTILINE | re.DOTALL)[0]
IndexError: list index out of range
import sgtlibc
from sgtlibc.utils.shell import check_shell_validate
from sgtlibc.gamebox import *
set_config(GameBoxConfig(
is_local=True,
file='./code.bin',
remote='192.168.0.0:8888',
auto_load=True,
auto_show_rop=True,
auto_show_summary=True,
auto_start_game=True,
auto_load_shell_str=True,
auto_show_symbols=True
))
elf = client.elf
def exec_fmt(data: bytes):
start_game()
sl(data)
r = rc()
return r
auto = FmtStr(exec_fmt)
print(auto.offset)
interactive()
This error is not the prettiest one, but it generally says that your function does not correctly return the executed format. Try yourself if exec_fmt(b'START%pEND') is a sane bytestring.
I had this same issue, it was due to the fact that the binary only accepted 32 bytes, but the format string generated was 1 byte longer this, which resulted in END being truncated and not matching the regex.
I fixed the issue locally by changing the cyclic(20) here to cyclic(8). Is there any particular reason 20 was chosen?
You can reproduce this with this binary: https://imaginaryctf.org/f/S1CB7#pwn
15 would probably be enough to cover all 7 offsets in case of 8-bit pointers, not sure why 20; the blame traces back to the original 2015 implementation by kokjo.