One more completed challenge is needed before we can declare format strings dead. This challenge from the format string section of Gera’s Insecure Programming is basically solvable using the same approach as challenge #3.
I am going to keep this post brief. If you want a more detail description of the write-up see challenge #3 write-up.
Gera’s challenge is posted below and can be found here.
As you may notice the only different is that direct parameter access (“%6$hn”) is used in the format string. As usual, the targeted platform is FreeBSD 8.2-RELEASE.
From here, the step are the same as #3. The only difference is that 16 bytes is needed to trigger the vulnerability.
Once again, we look for an address in the PLT and use exit’s address. The setup of the payload is the same as all previous write-ups: in the environmental variable. The environmental variable was found at 0xbfbd6905. In the payload of the environmental variable, we use the trap instruction (“\xcc”) to see if lands in the NOP-sled.
We hit our trap instruction; therefore, simply exchange the “\xcc” with “\x90” and we should get a shell.