Incorrect/weird offsets with Fmtstr()/fmtstr_payload()

CHANGELOG.md

@@ -135,6 +135,7 @@ The table below shows which release corresponds to each branch, and what date th
 - [#2435][2435] Speed up gdbserver handshake in gdb.debug()
 - [#2436][2436] Add resolution_addr parameter to Ret2dlresolvePayload
 - [#2497][2497] Fix remote.fromsocket() to handle AF_INET6 socket
+- [#2532][2532] Fix various bugs from FmtStr()/fmtstr_payload()
 
 [2436]: https://github.com/Gallopsled/pwntools/pull/2436
 [2371]: https://github.com/Gallopsled/pwntools/pull/2371
@@ -157,6 +158,7 @@ The table below shows which release corresponds to each branch, and what date th
 [2435]: https://github.com/Gallopsled/pwntools/pull/2435
 [2437]: https://github.com/Gallopsled/pwntools/pull/2437
 [2497]: https://github.com/Gallopsled/pwntools/pull/2497
+[2532]: https://github.com/Gallopsled/pwntools/pull/2532
 
 ## 4.13.1
 

pwnlib/fmtstr.py

@@ -886,9 +886,14 @@ def fmtstr_payload(offset, writes, numbwritten=0, write_size='byte', write_size_
     all_atoms = make_atoms(writes, sz, szmax, numbwritten, overflows, strategy, badbytes)
 
     fmt = b""
+    # Predict the size of bytes to substract.
+    # We consider that the pattern ``START%XXX$pEND`` is always used.
+    # This is because ``prefix`` got placed after ``payload``.
+    search_pattern = "START%%d$pEND" % offset
+    reverse_offset = len(search_pattern) + (len(search_pattern) % context.bytes)
     for _ in range(1000000):
         data_offset = (offset_bytes + len(fmt)) // context.bytes
-        fmt, data = make_payload_dollar(offset + data_offset, all_atoms, numbwritten=numbwritten, no_dollars=no_dollars)
+        fmt, data = make_payload_dollar(offset + data_offset - (reverse_offset // context.bytes), all_atoms, numbwritten=numbwritten, no_dollars=no_dollars)
         fmt = fmt + cyclic((-len(fmt)-offset_bytes) % context.bytes)
 
         if len(fmt) + offset_bytes == data_offset * context.bytes:
@@ -935,7 +940,7 @@ def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0, badbytes=f
 
     def leak_stack(self, offset, prefix=b""):
         payload = b"START%%%d$pEND" % offset
-        leak = self.execute_fmt(prefix + payload)
+        leak = self.execute_fmt(payload + prefix)
         try:
             leak = re.findall(br"START(.*?)END", leak, re.MULTILINE | re.DOTALL)[0]
             leak = int(leak, 16)
@@ -967,12 +972,16 @@ def _leaker(self, addr):
             return b"\x7f"
 
         fmtstr = fit({
-          self.padlen: b"START%%%d$sEND" % (self.offset + 16//context.bytes),
+          self.padlen: b"START%%%d$sEND" % (self.offset),
           16 + self.padlen: addr
         })
 
         leak = self.execute_fmt(fmtstr)
-        leak = re.findall(br"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0]
+        try:
+            leak = re.findall(br"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0]
+        except IndexError:
+            # FIXME: Let's hope not to find a collision :)
+            leak = leak[leak.find(b'START') + 5:]
 
         leak += b"\x00"