fmtstring
– Format strings¶
The fmtstring module allows you to build format strings that can be used to exploit format string bugs (printf(buf);).
-
pwnypack.fmtstring.
fmtstring
(offset, writes, written=0, max_width=2, target=None)[source]¶ Build a format string that writes given data to given locations. Can be used easily create format strings to exploit format string bugs.
writes is a list of 2- or 3-item tuples. Each tuple represents a memory write starting with an absolute address, then the data to write as an integer and finally the width (1, 2, 4 or 8) of the write.
fmtstring()
will break up the writes and try to optimise the order to minimise the amount of dummy output generated.Parameters: - offset (int) – The parameter offset where the format string start.
- writes (list) – A list of 2 or 3 item tuples.
- written (int) – How many bytes have already been written before the built format string starts.
- max_width (int) – The maximum width of the writes (1, 2 or 4).
- target (
pwnypack.target.Target
) – The target architecture.
Returns: - The format string that will execute the specified memory
writes.
Return type: bytes
Example
The following example will (on a 32bit architecture) build a format string that write 0xc0debabe to the address 0xdeadbeef and the byte 0x90 to 0xdeadbeef + 4 assuming that the input buffer is located at offset 3 on the stack.
>>> from pwny import * >>> fmtstring(3, [(0xdeadbeef, 0xc0debabe), (0xdeadbeef + 4, 0x90, 1)])