Since I’ve been doing a lot of the format string exploits lately, I decided to do the Final 1 challenge.

We start out the challenge by being given the following code:

#include "../common/common.c"

#include <syslog.h>

#define NAME "final1"
#define UID 0
#define GID 0 …

Next up is the last challenge in the Format String series, Format 4.

It starts out with the following code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
{
 printf("code execution redirected! you win\n"); …

Continuing in the String Format section, the next challenge we run across is Format 3.

We’re first given the following code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void printbuffer(char *string)
{
 printf(string);
} …

Continuing from where we left off, we arrive at Format 2. It presents us with the following code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
 char buffer[512];

 fgets(buffer, sizeof(buffer), stdin); …

Following the Format 0 challenge, I’ve had to do a bunch of reading on how format string exploits work on a very low level.

Some resources that I’ve found greatly useful:

• Hacking: The Art of Exploitation, 2nd Edition
• Exploiting Format String Vulnerabilities
• SecurityTube.net Format …

I’ll be honest, I’m new to format string exploits. I’ve been more experienced with stack overflows, and a little with heap overflows. So hopefully this information is correct, as it’s from my current understanding.

Protostar Format 0 starts us off with the following …