Bug-Report[FmtStr]list index out of range

[serfend]

Traceback (most recent call last):
  File "~/pwn/main.py", line 24, in <module>
    auto = FmtStr(exec_fmt)
  File "/usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 844, in __init__
    self.offset, self.padlen = self.find_offset()
  File "/usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 863, in find_offset
    leak = self.leak_stack(off, marker)
  File "/usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 854, in leak_stack
    leak = re.findall(br"START(.*?)END", leak, re.MULTILINE | re.DOTALL)[0]
IndexError: list index out of range

import sgtlibc
from sgtlibc.utils.shell import check_shell_validate
from sgtlibc.gamebox import *
set_config(GameBoxConfig(
    is_local=True,
    file='./code.bin',
    remote='192.168.0.0:8888',
    auto_load=True,
    auto_show_rop=True,
    auto_show_summary=True,
    auto_start_game=True,
    auto_load_shell_str=True,
    auto_show_symbols=True
))

elf = client.elf


def exec_fmt(data: bytes):
    start_game()
    sl(data)
    r = rc()
    return r
auto = FmtStr(exec_fmt)
print(auto.offset)
interactive()

pingme.zip

[Arusekk]

This error is not the prettiest one, but it generally says that your function does not correctly return the executed format. Try yourself if exec_fmt(b'START%pEND') is a sane bytestring.

[gsingh93]

I had this same issue, it was due to the fact that the binary only accepted 32 bytes, but the format string generated was 1 byte longer this, which resulted in END being truncated and not matching the regex.

I fixed the issue locally by changing the cyclic(20) here to cyclic(8). Is there any particular reason 20 was chosen?

You can reproduce this with this binary: https://imaginaryctf.org/f/S1CB7#pwn

[Arusekk]

15 would probably be enough to cover all 7 offsets in case of 8-bit pointers, not sure why 20; the blame traces back to the original 2015 implementation by kokjo.