With this challenge, we’re given some c code in which we are to find the vulnerability.
void vuln(char *string)
printf("you have modified the target :)\n");
int main(int argc, char **argv)
If you notice, there is a string format vulnerability inside the “vuln” function. It is doing a “printf” of a string directly provided by the user. To prevent this vulnerability, this line should read:
The first step of exploiting this vulnerability, would be to find the address of “target”, so that we can modify it.
user@protostar:/opt/protostar/bin$ objdump -t format1 | grep target
08049638 g O .bss 00000004 target
The next step, is to find the direct reference in the stack to the command argument we enter. To do this, we can simply spam “%x”, since that pops the next word off of the stack. If we do it multiple times, eventually we’ll get to where the argument is located. I chose to do it 150 times, guessing it would be less than that.
If you look at that output, you’ll see each byte in the stack, separated by periods. Eventually, you should see “41414141”, since the 150 number was enough. This points to the “AAAAAAAA” we entered at the beginning of the argument. I often find it easy to do 8 “A”s instead of 4, in case the byte is split up, and not aligned properly, giving something like “41411234.5678414141”.
Counting in, it looks like it was 128 bytes into the stack to get to. Just to verify, let’s try a little more precisely: