Monday, December 22, 2014

Protostar - Format #0


This level introduces format strings, and how attacker supplied format strings can modify the execution flow of programs. (link)

Source Code:


For this one, the sprintf function takes the string we pass in as a command-line argument and prints it out into buffer. Our target above the buffer in memory, so this should be very similar to the buffer-overflow exploits from before.

The key to this one is that sprintf accepts "placeholders" in the form %d, %n, etc. We can select a formatting of one of these placeholders that will expand a single placeholder out into being 64 bytes wide. Whatever comes after this 64-byte placeholder will overwrite the memory above the buffer (in this case, target)

This means if we overwrite target with the target value from the if statement, we should get the printf call to execute:

user@protostar:/opt/protostar/bin$ ./format0 %64d$(python -c "print '\xef\xbe\xad\xde'")
you have hit the target correctly :)

That's it!

1 comment: