Gotchas¶
Hanging on Write¶
There are a few reasons for hanging on write. Check the following:
- Check your format string harness waiting on input.
- Check your
badChars
input to the FormatString class. Depending on how your program recieves input, it may have different characters to avoid. - If you are using
pwntools
to communicate with the application, be sure to addbuffer_fill_size=0xffff
to the setup line, such asp = process("./a.out",buffer_fill_size=0xffff
.
On the last, there is currently a limitation in how pwntools
handles recieving input where it will only recieve a maximum of 4096 characters. When writing large values, you will write up to 65535 characters, thus this argument is needed. At time of writing, this change is in a pull request and not yet in pwntools
proper. If you are having issues, use my fork of pwntools
as it has this change integrated. https://github.com/owlz/pwntools
Be Careful About Your exec_fmt
Function!!¶
You need to be careful about where you are starting your input for your exec_fmt
function. This is because there are many things that FormatString
infers based off of what you return to it. If you do not return the format string from the actual start of the return, then your writes or reads may be off.
When in doubt, break at the vulnerable format function to ensure you’re getting all the data. Sometimes there is data before the actual return data in the buffer (such as “hello, ” or whatever). That output must be accounted for and so must be returned to FormatString
.