Search code examples
python-3.xsecuritybuffer-overflow

Python cannot find substring that I can see in EIP overflow

I have a script that I am using to automate and understand application fuzzing. I am running vulnserver and fuzzing to find the point at which the stack is overflowed and then generate a unique string that will then be sent again to locate at what point the EIP is being overwritten.

The issue that I have is that I have determined that the overflow happens when the initial set 2100 of As are sent. From there I am generating a string of sequential characters with the script below, an excerpt...

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2

The problem is that when EIP is overwritten with the below, I cannot locate the EIP string in the generated pattern

Looking for the string...

pattern.find(eip_string)

EIP asciie value: 8qC7

When run in IDLE I can see it find the existing string but returns -1 for those it cannot find/do not exist.

str.find('Aa0')
0
str.find('8qC7')
-1
str.find('foo bar')
-1

Is the issue with how I am generating the string or something else with the way Python's mechanics? How can I fix this so that I can find the EIP pattern in the main string?

Method generating pattern... Link to the project/method on Github

def create_pattern(self, length):
    index_up, index_down, int_index = 0, 0, 0

    int_list = list(range(0, 10))
    int_limit = len(int_list)-1 # 9

    char_list = string.ascii_lowercase
    char_limit = len(char_list)-1 # 25

    pattern = ''

while len(pattern) < length:
    if int_index <= int_limit:
        new_sequence = char_list[index_up].capitalize() + char_list[index_down] + str(int_list[int_index])
        pattern = pattern + new_sequence
        int_index += 1

    else:
        int_index = 0

        if index_down <= char_limit:
            index_down += 1

        if index_down >= char_limit:
            index_down = 0
            index_up += 1

        if index_up > char_limit:
            index_up = 0

self.pattern = pattern
return pattern

Issue Summary

  1. I have generated a long non-sequential string.
  2. I have overwritten EIP using that a substring of the main string and can see it in the debugger
  3. When searched for, the substring cannot be found in the primary string
Solution

  • So I figured out what the issue was. Obviously the EIP value was little endian. Because of that, all I had to do was reverse the produced string and that solved my issue.

    Basic PICNIC error!

    >> s = bytearray.fromhex(eip_query).decode()
>> s
'8oC7'
>> s[::-1]
'7Co8'
>> pattern.find_offset(s[::-1])
1943