Exploit Education | Phoenix | Format One Solution

The description and source code can be found here:

This level is largely the same as the previous, except now we need to set the changeme variable to a specific value (0x45764f6c). We know we can overflow the dest variable with the “%x” format specifier. We can use a number before the “x” to specify how many characters to print. For example, the fill the 32 byte buffer for the dest variable, we can use “%32x”. Then we’ll simply append the required bytes for the changeme variable.

user@phoenix-amd64:~$ echo -e "%32x\x6c\x4f\x76\x45" | /opt/phoenix/amd64/format-one 
Welcome to phoenix/format-one, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed correctly!

1 thought on “Exploit Education | Phoenix | Format One Solution

  1. Juan says:

    This one was easy 🙂 Moving forward, I arrived to the same solution this time. Almost the same, for the padding I used “%032x” instead of your better solution where we can save one char “%32x”. When I first read through the sprintf man page I didn’t realize that we were able to do that. With “%032” we are padding with “0” chars, and with just “%32” we are padding with spaces. Great!


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.