Another writeup for a pwn CTF challenge! In this challenge, we need to leak the canary value via format strings, and do a buffer overflow to change the return address to the desired function.

The buffer for us to overflow is 16 characters long. It first reads in data with a format string, and prints the value out. Next it asks for an overflow value, which is the second part of the attack. Let look at how to get the canary value first.

If we enter %x as an input, we get a hex value. Looking at IDA, this corresponds to the value on the stack.

If we step through the program, we see the value of the canary that it is comparing against. We reference back to the stack to see the what the offset is from the first value

We can’t simply write %x 11 times like this %x%x%x%x%x%x%x%x%x%x%x, as it will overwrite the values on the stack, and also overwrite the canary value. Hence we have to use a positional argument to get the 11th position on the stack: %11$x

Knowing the overflow amount and the stack canary, we just need to get the address of the print_flag function via gdb

Stringing everything together with pwntools. We needed to add more \xaa to overflow the EBP and some other stuff to get the print_flag address into the RET space