Protostar – Format Strings – Level 2

Hello everyone,

Let’s continue working in Protostar exploit exercises 🙂

Next exercise says the following:

This level moves on from format1 and shows how specific values can be written in memory.
 
This level is at /opt/protostar/bin/format2

And this is the code for this level 2:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);
  printf(buffer);
  
  if(target == 64) {
      printf("you have modified the target :)\n");
  } else {
      printf("target is %d :(\n", target);
  }
}

int main(int argc, char **argv)
{
  vuln();
}

This time, the input is received in a different way:

fgets(buffer, sizeof(buffer), stdin);

Let’s start as the past levels. First of all, I verify that the input is vulnerable to format string attack:

The next step is identify the memory address for the variable target:

And then, try to display this address using the the format string attack:

As you can see in the image above, the address is displayed properly. Now, instead of reading by using %x, lets write with a %n.

As you can see the target was modified. Now we can try to display integers and modify the base until we found the correct value:

%10d -> integer with base 10
%20d -> integer with base 20

Let’s see this trial and error process in action:

So that’s it for the level 2! Two more left.

See you in next blog post and Happy Hacking 🙂

This entry was posted in Exploiting and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *