This is the third uncontrolled format string vulnerability exercise from the Protostar image at Exploit Exercises. It is very similar to the last exercise except now we have to control the value we are writing with our exploit.
For this challenge we are given the following source:
Reading through there are just a few differences from the last challenge. Our input is no longer taken from a command line argument, but is instead taken over stdin. This means if we want to use our python command replacement to handle repetitve typing and non-printable bytes we will have to pipe them in from echo.
Once again there is an improper use of
printf() which exposes the program to attack.
The call should look like:
but instead looks like this:
This time we need to overwrite
target with the value to get our success message.
Once again we start by finding the address of our input on the stack. This time it should be a little easier as it is taken by
fgets() right before the call to
printf(). To pass it over stdin I piped the result of echo into an execution of
So our input is the 4th position on the stack. Now we can get the address of
target the same way we did last time as it is still uninitialized and exists in the bss segment.
Now we can build our exploit like we did last time using Direct Parameter Acccess (DPA):
As we expected target is now 4! This is because so far we have written 4 bytes of data with our format string. How can we add 60 characters to increase that value to 64 and get our success message? Well, we have done this before! In Format 0 we used a width field to overflow a buffer, now we can use it to save space and sanity in our write:
We have succeeded in changing
target to by doing a single byte write with %n and increasing the characters printed with %x.