Pheonix Format-zero write-up (amd64)


This level introduces format strings, and how attacker supplied format strings can modify program execution,  this document is very useful if you don’t have previous knowledge about format string  vulnerability also you can read the part of Format String exploit from the legendary book  the art of exploitation


          This level can be solved using format string  vulnerability because we don’t have enough buffer size to reach the return address so what we are going to do is that to take advantage of the format string  vulnerability, so now let’s begin analysing our code we there’s no get function here which we used to write our exploits taking advantage of it to write arbitrary size to the buffer, However if we focus on our code we can see that sprintf function doesn’t have format parameter and this our vulnerability we have to exploit..!, we can leak memory addresses from the stack

so if you we type our input as %x or %s we will leak the address from the stack,So in order to change the changeme value we have to fill our stack by using the width in the format paramter (e.g) %[nubmber][format] %64x.

in gdb set breakpoint at  0x00000000004006f2 by typing (gdb) break *0x00000000004006f2 then type any input you want (e.g) hello and the examine the stack you can see the address of locals.changeme is located at 0x7fffffffe640 then if you input echo -ne `python -c ‘print “%x”*14’` | ./format-zero you are popping 14 address from the stack and copy them locals.dest and it’s will overflow to the locals.changeme.

and here’s proof of working

I hope you enjoyed my write-up any comment or suggest is appreciated you can contact me via my e-mail address: 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s