I just completed the format string problem. I took a semester of C a long time ago, but I remembered enough to know what was going on in the program that I was given to exploit. I used gdb -q ./format, then p &secret to find the location of the variable of secret in memory. Then I ran the program:
./format $(python -c 'print "%x.%x.%x"').
%x prints addresses in the stack. I put a dot between them so that I could see where each ended. I kept adding a %x. until I found the address that I needed. I found out that the 7th address was the address that I needed. It was 0x0804a030. The hint said that %n would be useful. I tried it, but I just couldn't get it to work correctly. Then I found some nice articles that helped to explain format string vulnerabilities fairly well. They were: http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html, and https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf. So then I ran the program with ./format $(python -c 'print "%1337x%7$n"'). The %1337x pads an unsigned hexidecimal integer with 1337 spaces. The %7$n specifies that I want the 7th address location, and n means that I want to write the number of bytes written so far to that place in memory. I got shell. Then I typed "cat flag.txt" and got the flag which was who_thought_%n_was_a_good_idea?
Very awesome!
ReplyDeleteThis is probably the best beginner write up on this problem out there. The other ones just assume you know certain things.