Types
Other
De Bruijn Sequences
The better way to calculate offsets
De Bruijn sequences of order
n is simply a sequence where no string of n characters is repeated. This makes finding the offset until EIP much simpler - we can just pass in a De Bruijn sequence, get the value within EIP and find the one possible match within the sequence to calculate the offset. Let's do this on the ret2win binary.Generating the Pattern
Again,
radare2 comes with a nice command-line tool (called ragg2) that can generate it for us. Let's create a sequence of length 100.1
$ ragg2 -P 100 -r
2
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
Copied!
The
-P specifies the length while -r tells it to show ascii bytes rather than hex pairs.Using the Pattern
Now we have the pattern, let's just input it in
radare2 when prompted for input, make it crash and then calculate how far along the sequence the EIP is. Simples.1
$ r2 -d -A vuln
2
​
3
[0xf7ede0b0]> dc
4
Overflow me
5
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
6
child stopped with signal 11
7
[+] SIGNAL 11 errno=0 addr=0x41534141 code=1 ret=0
Copied!
The address it crashes on is
0x41534141; we can use radare2's in-built wopO command to work out the offset.1
[0x41534141]> wopO 0x41534141
2
52
Copied!
Awesome - we get the correct value!
We can also be lazy and not copy the value.
1
[0x41534141]> wopO `dr eip`
2
52
Copied!
The backticks means the
dr eip is calculated first, before the wopO is run on the result of it.Last modified 1yr ago
Export as PDF
Copy link