FmtStr arbitrary read #2577
Description
This is essentially #796, but I think it should be revisited.
- I think that reading arbitrary addresses is a core feature that the
fmtstrpackage and theFmtStrclass should support. - Using the
%sspecifier we can read arbitrary data. - Using
%.<n>swe can limit the size of the output string tonbytes. - In particular, by using
START%.1sEND, we can leak a single byte value: if the byte is null we will the output will beSTARTEND, and if it is non-null, the value will beSTART<value>END. - Instead of using
STARTandEND, we can allow the user to provide custom prefixes and suffixes, or generate random ones. - We can heuristically reduce the amount of calls to
execute_fmtif leaking a consecutive array of bytes, by iteratively using the%.<k>sformat string, wherekis the number of bytes left to leak, and incrementing the target address accordingly. - To leak
nbytes we will need at mostncalls toexecute_fmt(the worst case is if all bytes are null bytes). - We can concatenate all format strings to a single payload and call to
execute_fmtwith fewer (possibly, one) call toexecute_fmt. This comes at the cost of payload length. - The proposed additions don't break the existing API. In particular, it uses the existing
execute_fmtfunction and it's behavior.
I'm willing to implement this if approved and given the green light.