Gallopsled/pwntools

FmtStr arbitrary read

Opened this issue · 2 comments

RealA10N commented

This is essentially #796, but I think it should be revisited.

  • I think that reading arbitrary addresses is a core feature that the fmtstr package and the FmtStr class should support.
  • Using the %s specifier we can read arbitrary data.
  • Using %.<n>s we can limit the size of the output string to n bytes.
  • In particular, by using START%.1sEND, we can leak a single byte value: if the byte is null we will the output will be STARTEND, and if it is non-null, the value will be START<value>END.
  • Instead of using START and END, we can allow the user to provide custom prefixes and suffixes, or generate random ones.
  • We can heuristically reduce the amount of calls to execute_fmt if leaking a consecutive array of bytes, by iteratively using the %.<k>s format string, where k is the number of bytes left to leak, and incrementing the target address accordingly.
  • To leak n bytes we will need at most n calls to execute_fmt (the worst case is if all bytes are null bytes).
  • We can concatenate all format strings to a single payload and call to execute_fmt with fewer (possibly, one) call to execute_fmt. This comes at the cost of payload length.
  • The proposed additions don't break the existing API. In particular, it uses the existing execute_fmt function and it's behavior.

I'm willing to implement this if approved and given the green light.

peace-maker commented

Yes, feel free to draft an implementation please! We can reuse the MemLeak logic to handle nullbytes etc.
https://docs.pwntools.com/en/latest/memleak.html

Arusekk commented