FmtStr has some problems

[matrix1001]

numbwritten does not work

def fmt(s):
    print repr(s)
f = FmtStr(fmt, offset=0)
f.write(0xdeadbeef,0x12345678)
f.execute_writes()
#result: '\xef\xbe\xad\xde\xf0\xbe\xad\xde\xf1\xbe\xad\xde\xf2\xbe\xad\xde%104c%0$hhn%222c%1$hhn%222c%2$hhn%222c%3$hhn'

f = FmtStr(fmt, offset=0,numbwritten=20)
f.write(0xdeadbeef,0x12345678)
f.execute_writes()
#result: '\xef\xbe\xad\xde\xf0\xbe\xad\xde\xf1\xbe\xad\xde\xf2\xbe\xad\xde%104c%0$hhn%222c%1$hhn%222c%2$hhn%222c%3$hhn'

apparently the result should be different .

bad char problem

def fmt(s):
    print repr(s)
f = FmtStr(fmt, offset=0)
f.write(0x080420,0x12345678)
f.execute_writes()
#result: ' \x04\x08\x00!\x04\x08\x00"\x04\x08\x00#\x04\x08\x00%104c%0$hhn%222c%1$hhn%222c%2$hhn%222c%3$hhn'

some char like '\x00' will terminate the printf!!!
better solution is to put address in the tail of the payload!

[matrix1001]

I just checked the code. Found this in FmtStr:

    def execute_writes(self):
        fmtstr = randoms(self.padlen)
        fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen, write_size='byte')
        self.execute_fmt(fmtstr)
        self.writes = {}

it shoul be fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen+self.numbwritten, write_size='byte')

[zachriggle]

Yep, the code is pretty limited in its utility. I had some prototype code to auto-solve and exploit format string bugs in a pull request but it was never completed.

Feel free to contribute a fix!