Intro:
This level introduces format strings, and how attacker supplied format strings can modify program execution, this document is very useful if you don’t have previous knowledge about format string vulnerability also you can read the part of Format String exploit from the legendary book the art of exploitation.
Solution:
This level can be solved using format string vulnerability because we don’t have enough buffer size to reach the return address so what we are going to do is that to take advantage of the format string vulnerability, so now let’s begin analysing our code we there’s no get function here which we used to write our exploits taking advantage of it to write arbitrary size to the buffer, However if we focus on our code we can see that sprintf function doesn’t have format parameter and this our vulnerability we have to exploit..!, we can leak memory addresses from the stack
so if you we type our input as %x or %s we will leak the address from the stack,So in order to change the changeme value we have to fill our stack by using the width in the format paramter (e.g) %[nubmber][format] %64x.
in gdb set breakpoint at 0x00000000004006f2 by typing (gdb) break *0x00000000004006f2 then type any input you want (e.g) hello and the examine the stack you can see the address of locals.changeme is located at 0x7fffffffe640 then if you input echo -ne `python -c ‘print “%x”*14’` | ./format-zero you are popping 14 address from the stack and copy them locals.dest and it’s will overflow to the locals.changeme.
and here’s proof of working
I hope you enjoyed my write-up any comment or suggest is appreciated you can contact me via my e-mail address: omaroobaniessa@gmail.com
Mjali 