formatStringExploiter package

formatStringExploiter.FormatString module

class formatStringExploiter.FormatString.FormatString(exec_fmt, arch='i386', bits=32, endian='little', elf=None, max_explore=64, bad_chars='n', index=None, pad=None, written=None, explore_stack=True)

Bases: object

Initialize a FormatString class

Parameters:
  • exec_fmt (function) – Function that takes in one input, a string, and returns the output of the format string vulnerability on it.
  • arch (str, optional) – String representing what architecture this binary is.
  • bits (int, optional) – How many bits is this binary? Commonly 32 (Default) or 64.
  • endian (str, optional) – Is this binary little or big endian?
  • elf (pwnlib.elf.elf.ELF, optional) – pwnlib elf instantiation of this binary. If specified, all fields will be taken from this class.
  • max_explore (int, optional) – How deep down the stack should we explore? Larger numbers may take more time. Default is 64.
  • bad_chars (str, optional) – What characters should we avoid when exploiting this? Defaults to newline character.
  • index (int, optional) – If you already know the index for this vulnerability, you can specify it here
  • pad (int, optional) – If you already know the padding needed, you can specify it here
  • written (int, optional) – If you already know how many bytes have been written in the format string, you can specify it here
  • explore_stack (bool, optional) – Should we auto-explore the stack? Defaults to True.
Returns:

fmtStr
Return type:

FormatString.FormatString
arch

String representation of the architecture, such as i386 and amd64

Type:str
bits

Integer representation of how many bits are in this architecture

Type:int
endian

String representation of what endianness this binary is: little or big

Type:str
elf

pwnlib ELF instantiation representing this binary

Type:pwnlib.elf.elf.ELF
exec_fmt

Function to be called when we need to evaluate a format string

Type:function
max_explore

How deep down the stack should we explore?

Type:int
bad_chars

What characters should we avoid when exploiting this?

Type:str
_exploreStack()

Explore what pointers and data already exists on the stack.

_findIndex()

Figure out where our input starts as well as other information automatically.

The findIndex step automates the process of determining where our controlled input starts. It will iteratively shift inputs to the format string function until it finds the proper index and padding. It will then save that value in the class instance for future reference.

_hasBadChar(s)

Check input for bad characters.

Given the bad_chars we initialized the class with, check the input variable to see if any exist in there.

Parameters:s (int or str or bytes) – Input to be checked for bad characters.
Returns:True if input has bad characters, False otherwise
Return type:bool

Note that if the input is an integer, it will be converted to hex then to a string to be checked for bad characters.

_intToStr(i)

Converts integer to it’s corresponding ASCII string representation

_isPrintableString(s)

Check if the string we’re given should be considered printable.

_leak(addr)

Given an addr, leak that memory as raw string.

Note

This is a base function. You probably don’t want to call this directly. Instead, you should call methods of the leak method, such as leak.d(addr)

Parameters:addr (int) – Address to leak some bytes from
Returns:Raw leak of bytes as a string starting from the given address.
Return type:str
_packPointer(val)

Packs val as pointer relevant to the current binary.

Parameters:val (int) – Pointer value as integer that should be packed appropriately to this binary.
Returns:Integer packed as string relevant to this binary (i.e.: proper endianness)
Return type:str
exec_fmt(fmt)
printStack(guessPointers=True)

Print out what we know about the stack layout in a table format. Note: guessPointers may cause the binary to crash if it is guessed incorrectly.

write_b(addr, val)

Wraps the write_byte call

write_byte(addr, val)

write a single byte of data at addr

Parameters:
  • addr (int) – Address to write the byte to
  • val (int or str) – Integer or string to write to address

This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.

write_d(addr, val)

Wraps the write_dword call

write_dword(addr, val)

write a double word of data at addr

Parameters:
  • addr (int) – Address to write the double word to
  • val (int or str) – Integer or string to write to address

This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.

write_n_words(addr, val, n)

Write value at addr, telling FormatString how many words you actually want to write

Parameters:
  • addr (int) – Address to write words to
  • val (int) – Value to write at address
  • n (int) – Number of words that this value represents

This will attempt to write n words of val starting at address addr. Note that it will write in words and, for now, will not utilize byte writes. This is the core method that the other calls (aside from write_byte) use to actually write.

write_q(addr, val)

Wraps the write_qword call

write_qword(addr, val)

write a quad word of data at addr

Parameters:
  • addr (int) – Address to write the quad word to
  • val (int or str) – Integer or string to write to address

This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.

write_s(addr, s)

WRaps the write_string call

write_string(addr, s)

Attempt to write s as a string at address addr

Parameters:
  • addr (int) – Address to start writing the string to
  • s (str, bytes) – String to write to address

This call will attempt to write the string provided into the address provided. It does this by turning the string into a large number and writing the large number.

write_w(addr, val)

Wraps the write_word call

write_word(addr, val)

write a word of data at addr

Parameters:
  • addr (int) – Address to write the word to
  • val (int or str) – Integer or string to write to address

This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.