Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
58 lines (40 sloc) 1.51 KB

Format 0

https://exploit-exercises.com/protostar/format0/

Goal

To set target to 0xdeadbeef.

Source Code

format0.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void vuln(char *string)
{
  volatile int target;
  char buffer[64];

  target = 0;

  sprintf(buffer, string);
  
  if(target == 0xdeadbeef) {
      printf("you have hit the target correctly :)\n");
  }
}

int main(int argc, char **argv)
{
  vuln(argv[1]);
}

Exploit

This one took a little bit of learning about format strings. First, it's important to note that this program is vulnerable to a buffer overflow. You could just pass 64 bytes of some characters and then 0xdeadbeef into the string, and that would overwrite target. However, we can also do this shorter because of the format string vulnerability.

First, we still will keep our goal of writing 68 bytes into buffer (the last 4 being 0xdeadbeef). First, a little bit about format strings. Format strings will read some amount of information into the buffer in sprintf. After some research, I discovered that %64x reads 64 bytes into the format string. It doesn't really matter where these bytes come from, but they come from the stack, which means that format string vulnerabilities can also leak information to others. Thus, our strategy will be to read 64 bytes into the buffer using %64x and then read 0xdeadbeef into buffer.

Final output:

$ ./format0 $(python -c 'print "%64x\xef\xbe\xad\xde"')
you have hit the target correctly :)