


It takes a function which is called every time the automated Provides an automated format string exploitation. FmtStr ( execute_fmt, offset=None, padlen=0, numbwritten=0 ) ¶ Given the current format string write counter (how many bytes have been written until now). This function computes the least amount of padding necessary to execute this write, X._ne_(y) x!=y _repr_ ( ) repr(x ) ¶ compute_padding ( counter ) ¶ X._init_(…) initializes x see help(type(x)) for signature _ne_ ( other ) ¶ X._eq_(y) x=y _hash_ ( ) hash(x ) ¶ _init_ ( start, size, integer, mask=None ) ¶ In that case, since the lower byte is not coveredīy the mask, the write can be directly executed with a %hn sequence (so we will write 0xaabb, but that is okīecause the mask only requires the upper byte to be correctly written). With integer = 0xaa00 and mask = 0xff00 needs to be executed. For example, assume the current format string counter is at 0xaabb and a write with While the write always overwrites all bytes in the range [start, start+size) the mask sometimes allows moreĮfficient execution. This class represents a write action that can be carried out by a single format string specifier.Įach write has an address (start), a size and the integer that should be written.Īdditionally writes can have a mask to specify which bits are important. AtomWrite ( start, size, integer, mask=None ) ¶ write ( 0x1337babe, 0x0 ) # write 0x0 at 0x1337babe format_string. write ( 0x0, 0x1337babe ) # write 0x1337babe at 0x0 format_string. recv () # Create a FmtStr object and give to him the function format_string = FmtStr ( execute_fmt = send_payload ) format_string. info ( "payload = %s " % repr ( payload )) p. # Assume a process that reads a string # and gives this string as the first argument # of a printf() call # It do this indefinitely p = process ( './vulnerable' ) # Function called in order to send a payload def send_payload ( payload ): log. pwnlib.testexample - Example Test Module.- We could not fit it any other place.- Extension of standard module itertools.eragents - A database of useragent strings.pwnlib.ui - Functions for user interaction.- Shellcode common to all architecture.pwnlib.shellcraft - Shellcode generation.pwnlib.replacements - Replacements for various functions.mleak - Helper class for leaking memory.pwnlib.fmtstr - Format string bug exploitation tools.


pwnlib.filesystem - Manipulating Files Locally and Over SSH.pwnlib.filepointer - FILE* structure exploitation.pwnlib.dynelf - Resolving remote functions using leaks.nstants - Easy access to header file constants.pwnlib.atexception - Callbacks on unhandled exception.pwnlib.args - Magic Command-Line Arguments.
