De Bruijn Sequences
The better way to calculate offsets
De Bruijn sequences of order
nis simply a sequence where no string of
ncharacters is repeated. This makes finding the offset until EIP much simpler - we can just pass in a De Bruijn sequence, get the value within EIP and find the one possible match within the sequence to calculate the offset. Let's do this on the ret2win binary.
radare2comes with a nice command-line tool (called
ragg2) that can generate it for us. Let's create a sequence of length
$ ragg2 -P 100 -r
-Pspecifies the length while
-rtells it to show ascii bytes rather than hex pairs.
Now we have the pattern, let's just input it in
radare2when prompted for input, make it crash and then calculate how far along the sequence the EIP is. Simples.
$ r2 -d -A vuln
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x41534141 code=1 ret=0
The address it crashes on is
0x41534141; we can use
wopOcommand to work out the offset.
[0x41534141]> wopO 0x41534141
Awesome - we get the correct value!
We can also be lazy and not copy the value.
[0x41534141]> wopO `dr eip`
The backticks means the
dr eipis calculated first, before the
wopOis run on the result of it.