Don't like this style? Click here to change it! blue.css
I'll do the chall_08 from the Sunshine CTF speedruns:
Welcome to the next stage of your x86 exploitation journey.
Here are the stories to tell for printf, I will use several lectures on this.
"%p"%19$p%19$hnp64(target)+"%3230x%7$hn"pwntools fmt_payloadHere's the basic vulnerability in the wild:
Let's play with that a little bit.
Typically printf is used like this:
printf("%d + %d == %d\n", 1, 2, 3);
The format string references arguments to the function printf.
Here we are letting the user CONTROL the format string (rather than an argument).
This is a bit like SQL injection but for C.
So what goes wrong?
When we ask for printf("%d %d %d %d %d %d %d");
but there weren't any arguments passed in code... well... the CPU doesn't know that.
So it just looks where the arguments are supposed to be and gives you whatever is there.
In this case we're referencing the first 7 arguments, so what will show up on screen is going to be a mix of values from registers and from the stack.
The first 6 args to printf are in registers BUT only 5 of the format string args are in registers since the format string itself is in RDI.
So any arguments needed by the format string beyond the registers are read directly from the stack.
Of course in 32-bit the arguments are all on the stack.
Here are some format string tricks that are useful to us:
I'll demo these in class, but here's a nice run-down in a blog somewhere:
This is our first real PWN without using stack smashing. Here's a rough guideline of problems I've seen using this:
We will tackle the write-what-where more on Monday but for now let's get comfortable with the basics and try to bypass a canary.