Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add format string for no_dollars #2557

Merged
merged 1 commit into from
Mar 1, 2025
Merged

Add format string for no_dollars #2557

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 31 additions & 7 deletions pwnlib/fmtstr.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ def send_payload(payload):
from pwnlib.memleak import MemLeak
from pwnlib.util.cyclic import *
from pwnlib.util.fiddling import randoms
from pwnlib.util.misc import align
from pwnlib.util.packing import *

log = getLogger(__name__)
Expand Down Expand Up @@ -931,10 +932,11 @@ class FmtStr(object):

"""

def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0, badbytes=frozenset()):
def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0, badbytes=frozenset(), no_dollars=False):
self.execute_fmt = execute_fmt
self.offset = offset
self.padlen = padlen
self.no_dollars = no_dollars
self.numbwritten = numbwritten
self.badbytes = badbytes

Expand All @@ -946,23 +948,29 @@ def __init__(self, execute_fmt, offset=None, padlen=0, numbwritten=0, badbytes=f
self.leaker = MemLeak(self._leaker)

def leak_stack(self, offset, prefix=b""):
payload = b"START%%%d$pEND" % offset
if self.no_dollars:
payload = b'%c' * (offset - 1) + b'START%pEND'
else:
payload = b"START%%%d$pEND" % offset

leak = self.execute_fmt(prefix + payload)
try:
leak = re.findall(br"START(.*?)END", leak, re.MULTILINE | re.DOTALL)[0]
leak = int(leak, 16)
except ValueError:
leak = 0
except IndexError:
log.error("Cannot leak anything: exec_fmt not returning formatted data")
return leak

def find_offset(self):
marker = cyclic(20)
marker = cyclic(context.bytes + 3)
for off in range(1,1000):
leak = self.leak_stack(off, marker)
leak = pack(leak)

pad = cyclic_find(leak[:4])
if pad >= 0 and pad < 20:
if 0 <= pad < context.bytes:
return off, pad
else:
log.error("Could not find offset to format string on stack")
Expand All @@ -978,9 +986,25 @@ def _leaker(self, addr):
if addr & 0xfff == 0 and self.leaker._leak(addr+1, 3, False) == b"ELF":
return b"\x7f"

max_len = self.padlen + 8 + context.bytes
for _ in range(33):
offset = self.offset + max_len // context.bytes
if self.no_dollars:
payload = b'%c' * (offset - 1) + b'START%sEND'
else:
payload = b"START%%%d$sEND" % offset
if len(payload) > max_len:
max_len += align(len(payload) - max_len, context.bytes)
else:
break
else:
raise RuntimeError("this is a bug ... format string building did not converge")

fmtstr = fit({
self.padlen: b"START%%%d$sEND" % (self.offset + 16//context.bytes),
16 + self.padlen: addr
self.padlen: {
0: payload,
max_len: addr
}
})

leak = self.execute_fmt(fmtstr)
Expand All @@ -1000,7 +1024,7 @@ def execute_writes(self):

"""
fmtstr = randoms(self.padlen).encode()
fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen + self.numbwritten, badbytes=self.badbytes, write_size='byte')
fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen + self.numbwritten, badbytes=self.badbytes, no_dollars=self.no_dollars, write_size='byte')
self.execute_fmt(fmtstr)
self.writes = {}

Expand Down
Loading