pwn

That paper really covers the subject properly.

https://cs155.stanford.edu/papers/formatstring-1.2.pdf - Exploiting Format String Vulnerabilities

Stuff I learned today:

my payload started not working as soon as 0x20 was in some p32(address) representation because I forgot quotes around the xxd wrapper payload, causing the space to split parameters when passed to bash, lol.

def param_xxd(payload):
    return f'"$(xxd -r -p <<< {payload.hex()})"'

Also, %n writes 4 bytes at once, so if the 4 bytes you want to write at some memory offset happen to be a nice and gentle integer not too large, you can just use %.999u to have 999 bytes written. Adjust that with the previously written bytes counter and call it a day ?

payload = b'%08x'+p32(address)+bytes(f'.%.{nb_writes}u.%n','ascii')

Boom.

It's now 10 AM and the chickens are hungry. Bye.