formatStringExploiter package¶
formatStringExploiter.FormatString module¶
-
class
formatStringExploiter.FormatString.
FormatString
(exec_fmt, arch='i386', bits=32, endian='little', elf=None, max_explore=64, bad_chars='n', index=None, pad=None, written=None, explore_stack=True)¶ Bases:
object
Initialize a FormatString class
Parameters: - exec_fmt (function) – Function that takes in one input, a string, and returns the output of the format string vulnerability on it.
- arch (str, optional) – String representing what architecture this binary is.
- bits (int, optional) – How many bits is this binary? Commonly 32 (Default) or 64.
- endian (str, optional) – Is this binary little or big endian?
- elf (pwnlib.elf.elf.ELF, optional) – pwnlib elf instantiation of this binary. If specified, all fields will be taken from this class.
- max_explore (int, optional) – How deep down the stack should we explore? Larger numbers may take more time. Default is 64.
- bad_chars (str, optional) – What characters should we avoid when exploiting this? Defaults to newline character.
- index (int, optional) – If you already know the index for this vulnerability, you can specify it here
- pad (int, optional) – If you already know the padding needed, you can specify it here
- written (int, optional) – If you already know how many bytes have been written in the format string, you can specify it here
- explore_stack (bool, optional) – Should we auto-explore the stack? Defaults to True.
Returns: fmtStr
Return type: -
arch
¶ String representation of the architecture, such as i386 and amd64
Type: str
-
bits
¶ Integer representation of how many bits are in this architecture
Type: int
-
endian
¶ String representation of what endianness this binary is: little or big
Type: str
-
elf
¶ pwnlib ELF instantiation representing this binary
Type: pwnlib.elf.elf.ELF
-
exec_fmt
¶ Function to be called when we need to evaluate a format string
Type: function
-
max_explore
¶ How deep down the stack should we explore?
Type: int
-
bad_chars
¶ What characters should we avoid when exploiting this?
Type: str
-
_exploreStack
()¶ Explore what pointers and data already exists on the stack.
-
_findIndex
()¶ Figure out where our input starts as well as other information automatically.
The findIndex step automates the process of determining where our controlled input starts. It will iteratively shift inputs to the format string function until it finds the proper index and padding. It will then save that value in the class instance for future reference.
-
_hasBadChar
(s)¶ Check input for bad characters.
Given the bad_chars we initialized the class with, check the input variable to see if any exist in there.
Parameters: s (int or str or bytes) – Input to be checked for bad characters. Returns: True if input has bad characters, False otherwise Return type: bool Note that if the input is an integer, it will be converted to hex then to a string to be checked for bad characters.
-
_intToStr
(i)¶ Converts integer to it’s corresponding ASCII string representation
-
_isPrintableString
(s)¶ Check if the string we’re given should be considered printable.
-
_leak
(addr)¶ Given an addr, leak that memory as raw string.
Note
This is a base function. You probably don’t want to call this directly. Instead, you should call methods of the
leak
method, such asleak.d(addr)
Parameters: addr (int) – Address to leak some bytes from Returns: Raw leak of bytes as a string starting from the given address. Return type: str
-
_packPointer
(val)¶ Packs val as pointer relevant to the current binary.
Parameters: val (int) – Pointer value as integer that should be packed appropriately to this binary. Returns: Integer packed as string relevant to this binary (i.e.: proper endianness) Return type: str
-
exec_fmt
(fmt)
-
printStack
(guessPointers=True)¶ Print out what we know about the stack layout in a table format. Note: guessPointers may cause the binary to crash if it is guessed incorrectly.
-
write_b
(addr, val)¶ Wraps the
write_byte
call
-
write_byte
(addr, val)¶ write a single byte of data at addr
Parameters: - addr (int) – Address to write the byte to
- val (int or str) – Integer or string to write to address
This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.
-
write_d
(addr, val)¶ Wraps the
write_dword
call
-
write_dword
(addr, val)¶ write a double word of data at addr
Parameters: - addr (int) – Address to write the double word to
- val (int or str) – Integer or string to write to address
This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.
-
write_n_words
(addr, val, n)¶ Write value at addr, telling FormatString how many words you actually want to write
Parameters: - addr (int) – Address to write words to
- val (int) – Value to write at address
- n (int) – Number of words that this value represents
This will attempt to write n words of val starting at address addr. Note that it will write in words and, for now, will not utilize byte writes. This is the core method that the other calls (aside from write_byte) use to actually write.
-
write_q
(addr, val)¶ Wraps the
write_qword
call
-
write_qword
(addr, val)¶ write a quad word of data at addr
Parameters: - addr (int) – Address to write the quad word to
- val (int or str) – Integer or string to write to address
This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.
-
write_s
(addr, s)¶ WRaps the
write_string
call
-
write_string
(addr, s)¶ Attempt to write s as a string at address addr
Parameters: - addr (int) – Address to start writing the string to
- s (str, bytes) – String to write to address
This call will attempt to write the string provided into the address provided. It does this by turning the string into a large number and writing the large number.
-
write_w
(addr, val)¶ Wraps the
write_word
call
-
write_word
(addr, val)¶ write a word of data at addr
Parameters: - addr (int) – Address to write the word to
- val (int or str) – Integer or string to write to address
This call will attempt to write the value provided into the address provided. If value is a string, it will convert it to an integer first.