`fmtstring` – Format strings¶

The fmtstring module allows you to build format strings that can be used to exploit format string bugs (printf(buf);).

pwnypack.fmtstring.fmtstring(offset, writes, written=0, max_width=2, target=None)[source]¶

Build a format string that writes given data to given locations. Can be used easily create format strings to exploit format string bugs.

writes is a list of 2- or 3-item tuples. Each tuple represents a memory write starting with an absolute address, then the data to write as an integer and finally the width (1, 2, 4 or 8) of the write.

fmtstring() will break up the writes and try to optimise the order to minimise the amount of dummy output generated.

Parameters:

offset (int) – The parameter offset where the format string start.
writes (list) – A list of 2 or 3 item tuples.
written (int) – How many bytes have already been written before the built format string starts.
max_width (int) – The maximum width of the writes (1, 2 or 4).
target (pwnypack.target.Target) – The target architecture.

Returns:

The format string that will execute the specified memory: writes.

Return type:

bytes

Example

The following example will (on a 32bit architecture) build a format string that write 0xc0debabe to the address 0xdeadbeef and the byte 0x90 to 0xdeadbeef + 4 assuming that the input buffer is located at offset 3 on the stack.

>>> from pwny import *
>>> fmtstring(3, [(0xdeadbeef, 0xc0debabe), (0xdeadbeef + 4, 0x90, 1)])

fmtstring – Format strings¶

`fmtstring` – Format strings¶