The goal of this challenge is to find the location where we can write our supplied input in memory and find the correct offset value to print the winning statement.

Things to note

• **char buffer[512]**: Setting the buffer size to 512.
• **fgets(buffer, sizeof(buffer), stdin)**: Getting a user supplied-input. And it limits the buffer size to size of the buffer, which is 512. We can max input with 511 bytes because C always add 0x00 at the end as a terminator.
• **printf(buffer);**: This is the vulnerable function in this code. The printf() will not check whether the supplied inputs expected format strings or not since it is coded to accept any string values. So what we can do is simply to verify if we can leak the memory addresses and also write arbitrary code onto the stack ([READ] %p or %x → [WRITE] %n).
• **if(target == 64) {**: The target variable is the address where we need to find. Then, by leveraging the Format String vulnerability, we will write arbitrary bytes to the target to match with 64 to print out the winning statement.

---

Disassemble (GDB)

Let’s disassemble the binary to see what is doing at the ASM-level:

$ gdb -q format2
Reading symbols from /opt/protostar/bin/format2...done.
(gdb) set disassembly-flavor intel
(gdb) disassemble vuln

#format-string-attack #exploit-exercise-format2 #protostar-format2 #protostar-walkthrough #string-format