American Literature
Format string vulnerability.

Problem

Writing essays is so much fun! Watch me write all these totally meaningful words about other words... Actually, wait. You shouldn't be reading my essays. Shoo!

Solution

We are given the following source code:
1
int length;
2
char essay[50];
3
​
4
setbuf(stdout, NULL);
5
setbuf(stdin, NULL);
6
setbuf(stderr, NULL);
7
​
8
...
9
​
10
FILE *fp = fopen("flag.txt", "r");
11
char example_essay[100];
12
​
13
...
14
15
fgets(example_essay, sizeof(example_essay), fp);
16
​
17
...
18
19
fgets(essay, sizeof(essay), stdin);
20
essay[strcspn(essay, "\n")] = 0;
21
length = strlen(essay);
22
​
23
...
24
25
printf(essay);
26
​
27
...
Copied!
This is a typical format string vulnerability, where the user input is passed into printf() as a format string. Hence, we can use %<position>$llx to view the stack values.
Since the example_essay buffer also resides on the stack, we can leak the flag.
Then, convert the little endian to big endian to obtain the flag.
Copy link