Pwnable.kr fsb writeup
There are two ways to solve this problem. One is to pass the validation, and the other is to jump to
execve. Since the first one is too time consuming, here I use the second one.
main, there is a
alloca with random parameter, which will disturb the stack. So if we want to get information about the stack, we must leak it first.
fsb, there is a
printf bug, and we can use
%1$n to write any address. So we can just write an address, and use
$ to get a reference, and we can write that address! However, all input is saved at
So we can consider another way. We can notice that the
ebp is point to an old
ebp, and we can control it.
First, we will let the old
ebp point to function
ebp -> ori_ebp -> 0x0 becomes to
ebp -> ori_ebp -> sleep_in_GOT.
And then, we try to leak the pointer that
ebp point to, and the
Finally, we just write the place that old
ebp point to with address of
And here is the step:
%18$is refer to
%14$ - 0x50is
Let's say the result is
a b. And the offset is
r = a - b + 0x50
ris calculated in the last step.
Wait a sec... $ cat flag Have you ever saw an example of utilizing [n] format character?? :(
PS: I found it not so hard to pass the validation since we can write anything, we can write the key! So we can just rewrite it to the value we are going to input.