[ExpDev] Exploit Exercise | Protostar | Format 3

Format 3 (Format String Basic 3)

The goal of this challenge is to leverage a Format String vulnerability to write arbitrary bytes to the process memory and to print out the winning statement.

• Link: https://exploit-exercises.lains.space/protostar/format3/

Things to note

• char buffer[512]: Setting the buffer size to 512.
• fgets(buffer, sizeof(buffer), stdin): This func gets a user supplied-input. And it limits the buffer size to 512. We can max-input 511 bytes because C always add 0x00 at the end as a string terminator.
• printf(string);: This is the vulnerable function in this code. The printf() will not check whether the supplied inputs are expected format strings or not. This is because it’s coded to accept any input values at the location where the format parameter is supposed to be. So what we can do is simply to verify if we can leak the memory addresses and also write arbitrary values onto the stack ([READ] %p or %x → [WRITE] %n).
• if(target == 0x01025544) {: The target variable is what we need to find on the stack. Then, leveraging a Format String vulnerability, we will overwrite the 4 bytes to the target to match with the 0x01025544 to print out the winning statement.

Disassemble (GDB)

Let’s disassemble the binary to see what is doing at the ASM-level. This is very similar to the Format2. Only difference is the cmp value:

$ gdb -q format3
Reading symbols from /opt/protostar/bin/format3...done.
(gdb) set disassembly-flavor intel
(gdb) disassemble vuln

Exploit

Initial Recon

Let’s supply some random strings to watch how the program behaves:

$ python -c 'print "AAAA"' | /opt/protostar/bin/format3 
AAAA
target is 00000000 :(