Fmtstr no dollar payload

[murph12F]

No $ notation support for Fmtstr module

Added a new feature in the fmtstr module, the fmtstr_payload(...) function now supports generating payload without using the $ notation.
This can be accomplished with the new flag in the fmstr_payload function parameters no_dollars.

Every line of code added has effect only if the no_dollar parameter is set, if is not set the module remain unchanged.

---

Function signature

Before

def fmtstr_payload(offset, writes, numbwritten=0, write_size='byte', write_size_max='long', overflows=16, strategy="small", badbytes=frozenset(), offset_bytes=0 ) -> str  

After

def fmtstr_payload(offset, writes, numbwritten=0, write_size='byte', write_size_max='long', overflows=16, strategy="small", badbytes=frozenset(), offset_bytes=0, no_dollars=False)  -> str  

Example:

[ins] In [5]: from pwn import *

[ins] In [6]: context.clear( arch='amd64')

[ins] In [7]: fmtstr_payload(7,{ 0xdeadbeef : 0xc00ffe }  , no_dollars=True)
Out[7]: b'%c%c%c%c%c%c%c%c%c%c%c%c%4082c%lln%194c%hhnaaaab\x00\x00\x00\x00\x00\x00\x00\x00\xef\xbe\xad\xde\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf1\xbe\xad\xde\x00\x00\x00\x00'

[Arusekk]

Great stuff! Thanks a lot, would you mind adding some extra doctest that would ensure the fmtstr stuff works? It might be beneficial to also launch the examples/fmtstr.py and examples/fmtstr2.py with no_dollars=True in the CI pipeline.

[Arusekk]

How about some tests now?

[murph12F]

How about some tests now?

did you see the padding thing? i see that you answered that from my email but cand find your response, could you open another suggestion about that?
sorry :/

[murph12F]

How about some tests now?

did you see the padding thing? i see that you answered that from my email but cand find your response, could you open another suggestion about that? sorry :/

i was looking at the output of the checks that failed, have a look at this, this one fail cause of the new feature added, because he expects to find %1c but we just printng "c" * 1.

Document: fmtstr
----------------
**********************************************************************
File "fmtstr.rst", line ?, in default
Failed example:
    fmtstr_payload(1, {0x0: 0x00000001}, write_size='byte')
Expected:
    b'%1c%3$na\x00\x00\x00\x00'
Got:
    'c%3$naaa\x00\x00\x00\x00'
**********************************************************************

[Arusekk]

Yes, the test needs to be updated.

Please add another test too, with no_dollars set to True.

[Arusekk]

Time for some tests :)

[murph12F]

not really practical with tests :/ , what am i supposed to do, is there any doc to read about it?i ll check them next mornin, btw, i ll go to sleep now, been awake for too many hours, appreciate yo time mate. I ll link with you tomorrow. good morning/night gang

[murph12F]

just had a look before closing the laptop, are those the test that i am supposed to do?

   16     Examples:
   15         >>> context.clear(arch = 'amd64')
   14         >>> fmtstr_payload(1, {0x0: 0x1337babe}, write_size='int')
   13         b'%322419390c%4$llnaaaabaa\x00\x00\x00\x00\x00\x00\x00\x00'
   12         >>> fmtstr_payload(1, {0x0: 0x1337babe}, write_size='short')
   11         b'%47806c%5$lln%22649c%6$hnaaaabaa\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00'
   10         >>> fmtstr_payload(1, {0x0: 0x1337babe}, write_size='byte')
    9         b'%190c%7$lln%85c%8$hhn%36c%9$hhn%131c%10$hhnaaaab\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x
      02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
    8         >>> context.clear(arch = 'i386')
    7         >>> fmtstr_payload(1, {0x0: 0x1337babe}, write_size='int')
    6         b'%322419390c%5$na\x00\x00\x00\x00'
    5         >>> fmtstr_payload(1, {0x0: 0x1337babe}, write_size='short')
    4         b'%4919c%7$hn%42887c%8$hna\x02\x00\x00\x00\x00\x00\x00\x00'
    3         >>> fmtstr_payload(1, {0x0: 0x1337babe}, write_size='byte')
    2         b'%19c%12$hhn%36c%13$hhn%131c%14$hhn%4c%15$hhn\x03\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
    1         >>> fmtstr_payload(1, {0x0: 0x00000001}, write_size='byte')
  855         b'%1c%3$na\x00\x00\x00\x00'
    1         >>> fmtstr_payload(1, {0x0: b"\xff\xff\x04\x11\x00\x00\x00\x00"}, write_size='short')
    2         b
    ```
sorry for lines number, vim shit

[Arusekk]

Sure, the tests are just the code snippets in the documentation strings of the functions. You can save time and only run relevant tests with:

$ pip install -r docs/requirements.txt
$ python -bb -m sphinx -b doctest docs/source docs/build/doctest docs/source/fmtstr.rst

[murph12F]

ok, appreciate it, i ll do that soon as i wake up.

[murph12F]

@Arusekk added some tests ( just 3 for now ), i ve runned them as you suggested, seems working correctly. let me know, i ll keep doing some test.

[murph12F]

Hello, i ve seen you approved the changes, and added this request to a milestone, thanks.
Could i ask why this test keep failing? :
coverage/coveralls — Coverage decreased (-5.3%) to 68.181%

also you added this to the milestone to 4.11, want me to change that in my CHANGELOG? i ve putted it in the 4.12

[Arusekk]

Sure, also make sure the markdown is rendered correctly (i.e. one line added to the list and one to the link section). Never mind the coverage indicator, it is broken and I have been looking for some ways to replace it.

[murph12F]

ok updated the changelog file with correct version. i ve copied the other lines to be sure to do that right, have a look in when u have a second, after this changes gets approved i ll just have to wait right, till the drop of the next milestone? ( sorry newbie in contributing other projects) appreciate it