Skip to content

FmtStr arbitrary read #2577

New issue
New issue
Open
Open
FmtStr arbitrary read#2577
Labels
feature
@RealA10N

Description

@RealA10N
RealA10N
opened on Apr 2, 2025

This is essentially #796, but I think it should be revisited.

  • I think that reading arbitrary addresses is a core feature that the fmtstr package and the FmtStr class should support.
  • Using the %s specifier we can read arbitrary data.
  • Using %.<n>s we can limit the size of the output string to n bytes.
  • In particular, by using START%.1sEND, we can leak a single byte value: if the byte is null we will the output will be STARTEND, and if it is non-null, the value will be START<value>END.
  • Instead of using START and END, we can allow the user to provide custom prefixes and suffixes, or generate random ones.
  • We can heuristically reduce the amount of calls to execute_fmt if leaking a consecutive array of bytes, by iteratively using the %.<k>s format string, where k is the number of bytes left to leak, and incrementing the target address accordingly.
  • To leak n bytes we will need at most n calls to execute_fmt (the worst case is if all bytes are null bytes).
  • We can concatenate all format strings to a single payload and call to execute_fmt with fewer (possibly, one) call to execute_fmt. This comes at the cost of payload length.
  • The proposed additions don't break the existing API. In particular, it uses the existing execute_fmt function and it's behavior.

I'm willing to implement this if approved and given the green light.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions