[ExpDev] Exploit Exercise | Protostar | Format 4

Format 4 (Format String Exploit: GOT)

The goal of this challenge is to redirect our execution flow to print the winning statement by leveraging a Global Offset Table (“GOT”) instead of the return pointers that we used for previous Format String vulnerability challenges. Let’s see how we can do this :)

• Link: https://exploit-exercises.lains.space/protostar/format4/

Things to note

• char buffer[512]: Setting the buffer size to 512.
• fgets(buffer, sizeof(buffer), stdin): Getting a user supplied-input. And it limits the buffer size to size of the buffer, which is 512. We can max input with 511 bytes because C always add 0x00 at the end of the string as a terminator.
• printf(buffer);: This is the vulnerable function in this code. The printf() will not check whether the supplied inputs expected format strings or not since it is coded to accept any string values. So what we can do is simply to verify if we can leak the memory addresses and also write arbitrary code onto the stack ([READ] %p or %x → [WRITE] %n).
• exit(1);: The exit(1) is a syscall, and it simply exits the program. Unlike previous exercises, we do not have any return addresses after the printf(); instead, we have this exit(1). But what we can do is since the exit(1) is a part of the Global Offset Table (“GOT”), we can overwrite its entry point for the exit(1) function with the address for hello() to print out the winning statement.

What is GOT?

Simply put, GOT helps load shared library functions (e.g., exit()) in a dynamically-linked ELF binary. Basically, one can create their program without re-writing popular functions like exit(); instead, they can add pointers to call those functions as that they can be dynamically loaded at the run time. Example ASM file below:

Source: https://github.com/bigb0sss/b0ssTheASM/blob/master/0x06_libc/libc_01.nasm

Disassemble (GDB)