{"id":19927203,"url":"https://github.com/hexhive/printbf","last_synced_at":"2026-02-06T22:31:06.807Z","repository":{"id":47842761,"uuid":"48643597","full_name":"HexHive/printbf","owner":"HexHive","description":"Brainfuck interpreter inside printf","archived":false,"fork":false,"pushed_at":"2021-04-01T02:31:25.000Z","size":1404,"stargazers_count":670,"open_issues_count":1,"forks_count":28,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-07-26T16:46:03.331Z","etag":null,"topics":["brainfuck-interpreter","exploitation-framework","printf","turing-machine"],"latest_commit_sha":null,"homepage":null,"language":"Brainfuck","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HexHive.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-12-27T12:08:52.000Z","updated_at":"2025-07-01T03:19:39.000Z","dependencies_parsed_at":"2022-09-21T04:21:43.729Z","dependency_job_id":null,"html_url":"https://github.com/HexHive/printbf","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HexHive/printbf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2Fprintbf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2Fprintbf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2Fprintbf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2Fprintbf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HexHive","download_url":"https://codeload.github.com/HexHive/printbf/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2Fprintbf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29179415,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T22:12:24.066Z","status":"ssl_error","status_checked_at":"2026-02-06T22:12:09.859Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brainfuck-interpreter","exploitation-framework","printf","turing-machine"],"created_at":"2024-11-12T22:32:41.939Z","updated_at":"2026-02-06T22:31:06.792Z","avatar_url":"https://github.com/HexHive.png","language":"Brainfuck","readme":"# printbf -- Brainfuck interpreter in printf\n\n## Authors\n\n* [Mathias Payer](http://nebelwelt.net)\n* [Nicholas Carlini](http://nicholas.carlini.com)\n\n\n## Background\n\nGeneric POSIX printf itself can be Turing complete as shown in [Control-Flow\nBending](http://nebelwelt.net/publications/#15SEC). Here we take\nprintf-oriented programming one step further and preset a brainfuck\ninterpreter inside a single printf statement.\n\nAn attacker can control a printf statement through a format string\nvulnerability (where an attacker-controlled string is used as first parameter\nto a printf-like statement) or if the attacker can control the first argument\nto a printf statement through, e.g., a generic memory corruption. See the\ndisclaimer below for practical *in the wild* considerations.\n\nBrainfuck is a Turing-complete language that has the following commands (and\ntheir mapping to format strings):\n\n* `\u003e` == dataptr++  (`%1$.*1$d %2$hn`)\n* `\u003c` == dataptr--  (`%1$65535d%1$.*1$d%2$hn`)\n* `+` == (\\*dataptr)++  (`%3$.*3$d %4$hhn`)\n* `-` == (\\*dataptr)--  (`%3$255d%3$.*3$d%4$hhn` -- plus check for ovfl)\n* `.` == putchar(\\*dataptr)  (`%3$.*3$d%5$hn`)\n* `,` == getchar(dataptr)  (`%13$.*13$d%4$hn`)\n* `[` == if (\\*dataptr == 0) goto `]`  (`%1$.*1$d%10$.*10$d%2$hn`)\n* `]` == if (\\*dataptr != 0) goto `[`  (`%1$.*1$d%10$.*10$d%2$hn`)\n\n\n## Demo and sources\n\nHave a look at the bf_pre.c sources to see what is needed to setup the\ninterpreter and also look at the tokenizer in toker.py.\n\nRun make in ./src to generate a couple of sample programs (in ./src).\n\n\n## Disclaimer\n\nKeep in mind that this printbf interpreter is supposed to be a fun example of\nTuring completeness that is available in current programs and not a new\ngeneric attack vector. This demo is NOT intended to be a generic\nFORTIFY_SOURCE bypass.\n\nCurrent systems often either (i) disable %n (which is used to write to memory\nand allowed according to the standard but rarely used in practice) or (ii)\nthrough a set of of patches that test for attack-like conditions, e.g., if\nthe format string is in writable memory.\n\nTo use printbf in the wild an attacker will either have to disable\nFORTIFY_SOURCE checking or get around the checks by placing lining up the\nformat strings and placing them in readonly memory. The FORTIFY_SOURCE\nmitigations are glibc specific. The attacker model for printbf assumes that\nthe attacker can use memory corruption vulnerabilities to set-up the attack or\nthat the sources are compiled without enabled FORTIFY_SOURCE defenses. \n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhexhive%2Fprintbf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhexhive%2Fprintbf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhexhive%2Fprintbf/lists"}