Tags: windows 


## Infos

**Author**: awe
**Category**: Pwn
**Difficulty**: Easy
**Solves**: 2 (WTF)

## Description:

After monitoring the number of people escaping from `winworld` during the Insomni'hack Teaser, the droids became confident that Windows 10 is just too secured, so they decided to use it again to manage their army.
The protections are the same `winworld`, but the difficulty is... not quite the same ;)

Running on Windows 10 with:
AppJailLauncher.exe /key:flag.txt /port:1337 /timeout:12000000 easywin.exe

## Solution:

There is an obvious buffer overflow in the "change target" function, which allows to overwrite a format and a function pointer.

1) Use the format string to leak `ucrtbase.dll`. At offset 5 you have `ucrtbase!_argc`. Compute the base of `ucrtbase` from its offset.
2) Overwrite the function pointer with `ucrtbase!system` and trigger it. The binary has Control Flow Guard but `system` is a valid target, so no problem.
3) First argument of `system` is our buffer (how convenient?), however our charset is limited to `c > 0x20 && c < 0x7f` so we can't use space characters. We can use `,` or `^` to circumvent that restriction: `type,flag.txt\x00`.
4) For some reason remotely this didn't work (buffering or whatever), adding another command that prints more bytes does the trick: `type,flag.txt&whoami^/all\x00`
5) Get the flag: `INS{command^injection^for^the^win}`

Original writeup (https://github.com/Insomnihack/Insomnihack-2017/tree/master/pwn/easywin).