//Lab 1 - Task 4

#include

int main (int argc, char** argv) { const int magic = 80; const char secret[] = "\x44\x45\x46\x41\x43\x45\x44"; char buf[128]; sprintf(buf, argv[1]); if (magic != 80) printf("GREAT SUCCESS! "); printf(buf); printf(" "); return 0; }

For this question we will be using the above code. The purpose of this question is to exploit a format string vulnerability to read and write arbitrary memory. Compile the above code into binary form using GCC. In order to successfully exploit the vulnerability you need to perform the following steps: Find the offset from ESP that stores the address of the variable you want to read/write Determine how many 4-byte chunks on the stack you need to traverse to get to your desired address Craft an appropriate format string to perform the stack traversal and read/write of your desired address Use the Python command $(python c print

+ %08x-* + %s/%n to read/write respectively Question 4.1 Construct a Format String exploit to read the contents of secret[]. Provide a screenshot showing successful output including your exploit string. Question 4.2 Construct a Format String exploit to change the value of magic such that the program prints GREAT SUCCESS! Provide a screenshot showing successful output including your exploit string.