diff options
author | Malfurious <m@lfurio.us> | 2021-08-03 19:53:26 -0400 |
---|---|---|
committer | Malfurious <m@lfurio.us> | 2021-08-03 19:53:26 -0400 |
commit | 5970194d1303e16364ff1405f974c995de46203b (patch) | |
tree | d3f748eeb0112205bb7784bd353b22376ee827ae /docs/writeups/ImaginaryCTF_2021/formatting.txt | |
parent | ef6e3a502bf8498a8f641eb3dad11d3065359bbb (diff) | |
parent | aa9da0f6f27759f5f3201bafb0e52f41367f08ef (diff) | |
download | lib-des-gnux-5970194d1303e16364ff1405f974c995de46203b.tar.gz lib-des-gnux-5970194d1303e16364ff1405f974c995de46203b.zip |
Merge tag 'pull-duso-imaginary-writeups' of https://github.com/Dusoleil/lib-des-gnux
Writeups and other tools/docs from ImaginaryCTF from Dusoleil.
* tag 'pull-duso-imaginary-writeups' of https://github.com/Dusoleil/lib-des-gnux:
Adding Initial Commit of the Sploit Tool
Adding Various Docs
Adding Various Small Tools
Git Ignore __pycache__ for All Tools
Writeups from Imaginary CTF 2021
Diffstat (limited to 'docs/writeups/ImaginaryCTF_2021/formatting.txt')
-rw-r--r-- | docs/writeups/ImaginaryCTF_2021/formatting.txt | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/writeups/ImaginaryCTF_2021/formatting.txt b/docs/writeups/ImaginaryCTF_2021/formatting.txt new file mode 100644 index 0000000..62efda4 --- /dev/null +++ b/docs/writeups/ImaginaryCTF_2021/formatting.txt @@ -0,0 +1,23 @@ +The Problem +----------- +given a hint about format strings + +a python script using the new python3 "function-like" format strings + +in particular, + + inp = input("> ") + inp.format(a=stonkgenerator()) + +this allows us to use "{}" in the inp string to substitute for arguments passed into format(). In this case, we only have a single, named argument we can substitute for ("{a}"). Any instance of "{a}" will be substituted with whatever a= in format(). + +Normally, you need some kind of object that is printable. In this case, they are instantiating a class "stonkgenerator" which has a __str__() conversion. The fact that an object is used here (and that we control the format string) is the exploitable bit. + + + +The Attack +---------- +When you use these types of format strings to get an object, you can actually reference properties of that object in the format string as well. For instance "{a.__str__()}" would actually work. Python is notoriously bad about data encapsulation, so we now have access to pretty much the whole program's memory. + +There is a variable "flag" at the top of the program which reads the flag in from some file. We want to print this out. It is as easy as +{a.__init__.__globals__[flag]} |