Quick Daily PWN:

Just to kick-start your pico journey we'll do the first binary exploitation problem.

Format String Pwntools Tricks

Also Leveling Up via Write-ups

Also some printf gotchas

A ton of goals today but intentionally bizarre structure:

For the pwntools tricks let's pick up:

• FmtStr
• fmtstr_payload

BUT let's learn those by using https://ctftime.org/writeups?tags=formatstring&hidden-tags=format-string%2Cformatstring

The reason for this is that the REAL BENEFIT of this course is your ability to learn how to learn and we jump between a classroom version and the trenches version all the time. That trenches version never exactly matches what we see in the classroom.

I'll give you my weaknesses if you learn my style and mimick it. BUT the real growth is picking up new ways on your own pace.

So I'll do today's tech goal by way of a meta-cognition goal.

Some prep:

I have some binaries from write-ups hidden in the /ec folder as greenfield future-proofing if we need:

The printf Gotchas

But I do want to say a few things from my experiences that will generally help:

• You can do more than one write-what-where at a time: p32(address1)+p32(address2)+"%width1x"+"%h7$n" + "%width2x"+"%hh8$n"
• You can do more than one leak at a time: "%19$p %24$p %17$p"
• If it's 64-bits then there will be null-bytes in your addresses, which STOP THE %n!!!
• So to get around that you CAN put the address at the back of the payload where they will exist and you calculate your own offset
• That looks like: "%width1x%123$hn"+p64(target) (the 123 is just a little larger than normal since your target is now deeper in the stack)