Goal
Print “you have modified the target :) “
let’s dig into the source code of the binary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
/* Source Code Of Challenge */
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;
void vuln(char *string)
{
printf(string);
if(target) {
printf("you have modified the target :)\n");
}
}
int main(int argc, char **argv)
{
vuln(argv[1]);
}
At first glance, we can see that the target value is initialized and then if the statement is checking if it’s modified or not if its limited it prints the msg and if not function exists and then the program let dig in more we can see that main is taking the first argument passed to it and giving it to vuln function is taking that input and printing it with any format specifier which makes it to vulnerable to format string vuln (Format string vuln is in which user pass input which is not sanitized properly which can then be used to leak value from memory or write to memory using format specifier which the user provided) we can use it to modified target variable so we can print the msg
1
2
3
4
objdump -t format1 | grep "target"
# get address of target variable
1
2
3
gcc -m32 -fno-stack-protector -z execstack -no-pie -w -D_FORTIFY_SOURCE=0 -O0 format1.c -o format1
# compile binary
aslr is off Note : this payload will not work for u because of enviroment variable