The challange implemented a custom printf function which was called on our two inputs then the program exited. This opened a format string vulnerability, which made it possible to leak out important stack/libc/etc base addresses, but %n was not implemented, so we could not write the memory.
Fortunately for us, it used an uncontrolled alloca aka. sub rsp, rax where the parameter was the predicted output buffer length which could be controlled by us using constructs like %1000d which generated a 1000 byte length buffer on the stack with alloca.
This made possible to set rsp to any lower memory address, and even write into libc’s memory.
Somehow a bunch of pages which included also pointers were not read-only on Ubuntu 19.04 with libc 2.29. This was a weird behavior as the situation was much better on Ubuntu 18.04… I don’t know why they changed it, but whatever, this made the exploitation much easier (possible)!
I tried to overwrite a bunch of targets with OneGadget RCE, but at the end I replaced _IO_cleanup in the libc_atexit array which was called at the exit :D
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading