Skip to content

Playbook

Calculating Padding Length

Used in buffer overflow attacks.

Setting up a buffer overflow attack requires padding the available buffer and overwriting the return address to redirect the execution flow.

The steps are as follows:

  1. Set a breakpoint after the critical call to read()
  2. Find the buffer starting address: Provide a cyclic pattern that is unique enough to find in memory as input to the program. This can be done manually or generated with a function like pwntools.cyclic(10).
  3. Search for the pattern: Using the pwndbg command search <pattern>
  4. Get the address of RBP and calculate the distance: Using info frame and distance <pattern address> <RBP address>

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
pwndbg> search ABA
Searching for byte: b'ABA'
[stack]         0x7ffec0f085b0 0xa414241 /* 'ABA\n' */
pwndbg> info frame
Stack level 0, frame at 0x7ffec0f085e0:
 rip = 0x400735 in pwnme; saved rip = 0x4006d7
 called by frame at 0x7ffec0f085f0
 Arglist at 0x7ffec0f085d0, args:
 Locals at 0x7ffec0f085d0, Previous frame's sp is 0x7ffec0f085e0
 Saved registers:
  rbp at 0x7ffec0f085d0, rip at 0x7ffec0f085d8
pwndbg> distance 0x7ffec0f085b0 0x7ffec0f085d0
0x7ffec0f085b0->0x7ffec0f085d0 is 0x20 bytes (0x4 words)

Important

The measured distance is the distance between the start of the buffer and the function base pointer (RBP). The return address is stored in the stack pointer (RSP) located at RBP + 8. This means the payload needs an additional 8 bytes of padding to overwrite RBP before reaching the return address. In the above example, this corresponds to 0x28 (40) bytes of padding.