This gera’s insecure programming challenge is solvable (pwnable) in a similar fashion as my previous post. The challenge’s source is posted. The challenge can be found at gera’s format string 3
As shown in the code, we will be able to write two bytes (“%hn”). The targeted platform, once again, is FreeBSD.
We control where we can write and what to write. The GOT technique is a good option that can be used to exploit this challenge. The READELF(1) revealed the memory offset of all the functions dynamically linked to the compiled binary.
Since the program ends after the snprintf call, we can use exit’s address (0x080496b4). We can only write two bytes (0xffff ~ 65535). If the payload is going to be in an environmental variable, the most significant byte would be 0xbf——.
A large enough payload is needed to make sure that when exit is called it lands somewhere in the NOP-sled. The envirnometal variable was founded at 0xbfbe6910. As mention previously, we need to write the value 0xbfbe to 0x080496b6.
Now we simply need to replace the “\xcc” with our shellcode and watch the shell spawn.