Tags: bof fmtstr pwn
Rating:
buffer overflow in
```c
unsigned __int64 edit_character() {
__int64 v1; // [rsp+0h] [rbp-40h]
int v2; // [rsp+4h] [rbp-3Ch]
char *s1; // [rsp+8h] [rbp-38h]
char s2; // [rsp+10h] [rbp-30h]
unsigned __int64 v5; // [rsp+38h] [rbp-8h]
v5 = __readfsqword(0x28u);
printf(" [ Character index ]: ");
LODWORD(v1) = read_user_int();
if ( v1 >= 0 && v1 <= 3 && jail[v1] ) {
s1 = jail[v1];
puts(" [ Character ]");
printf(" Name: ", v1);
read_user_str(&s2, 127LL); // bof here
if ( strcmp(s1, &s2) )
strncpy(s1, &s2, 0x20uLL);
printf(" Age: ", &s2;;
v2 = read_user_int();
if ( *(s1 + 8) != v2 )
*(s1 + 8) = v2;
printf(" Date (mm/dd/yyyy): ");
read(0, &s2, 0xAuLL);
if ( strcmp(s1 + 36, &s2) )
strncpy(s1 + 36, &s2, 0x20uLL);
}
else {
puts(" [!] Invalid index.");
}
return __readfsqword(0x28u) ^ v5;
}
```
and fmtstring vuln in
```c
unsigned __int64 read_character_infos(){
__int64 v1; // [rsp+0h] [rbp-40h]
char *src; // [rsp+8h] [rbp-38h]
char dest; // [rsp+10h] [rbp-30h]
unsigned __int64 v4; // [rsp+38h] [rbp-8h]
v4 = __readfsqword(0x28u);
printf(" [ Character index ]: ");
LODWORD(v1) = read_user_int();
if ( v1 >= 0 && v1 <= 3 && jail[v1] ) {
src = jail[v1];
strncpy(&dest, jail[v1], 0x20uLL);
printf("Character name: %s\n", &dest, v1);
printf("Age: %d\n", *(src + 8));
strncpy(&dest, src + 36, 0x20uLL);
printf("He's been locked up on ", src + 36);
if ( check_date_format((src + 36)) )
printf(src + 36); // fmtstring vuln here
else
printf("an invalid date.");
puts(".");
}
else {
puts(" [!] Invalid index.");
}
return __readfsqword(0x28u) ^ v4;
}
```
- leak canary
- restore canary before overwrite return address
[read more](http://taqini.space/2020/05/11/Sharky-CTF-2020-pwn-wp/#captain-hook-399pt)
