I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure!
Then, the task provides the C-code and the server on which most probably this code is working. The full code is provided below:
So, the best thing will be to start examining the code provided. The special attention should be paid to the places we enter something (as this way we can influence the application).
After some time we can notice this fragment:
scanf("%300s", user_buf);
printf("Buying stonks with token:\\n");
printf(user_buf);
Here, we can see, that the last printf does not have the format string. Let's look what will happen if we put the format string as an input here. This is shown in Figure 1:
Figure 1: Test format string as an input
Here, we can see, that instead outputing the value we gave to the application, it answered with some number. Thus, we confirmed the existence of Format string vulnerability.
Now, let's understand, what is happenning.
All the local variables when they are used by the application take their place on stack. The same happens with the arguments before function calls. When the printf is called it takes one argument (user_buf) that was placed at the stack before the call in order for printf to take it.
But what will happen if this value - format string? In this case the printf will try to take the next value on the stack (just before the user_buf) as it will think that these values are supposed for printing as is was provided by the format string. It is unexpected for the application but can help us to find the flag.
So, using this vulnerability we are able to access the values lying on the stack before the printf call. If we examine the code, we will notice that the variable containing the flag value is used in the same function and before the function call. Thus, printing the values of the stack will help us to retrieve the flag.
One way of doing it is to use %x format string to print the stack byte-by-byte. We can count how many bytes we need to retrieve but the faster way will be trying to guess. Let's try 50. The way I did it is shown in Figure 2:
Figure 2: Printing the stack byte-by-byte
So, here is the exploit used: