Skip to main content

About

Introductory format string level that covers basic expansion.

Vulnerability Type Format
Position Independent Executable No
Read only relocations No
Non-Executable stack Yes
Non-Executable heap Yes
Address Space Layout Randomisation Yes
Source Fortification No

Source code

(level10.c) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include "../common/common.c"

void expand_the_input()
{
  volatile int target;
  char output[1024];
  char input[12];
  
  target = 0;
  memset(input, 0, sizeof(input));
  memset(output, 0, sizeof(output));

  fgets(input, sizeof(input)-1, stdin);
  if(strlen(input) == 0) exit(0);
  
  sprintf(output, input);

  if(target == 0xdea110c8) {
      printf("\n[ critical hit! :> ]\n");
      system("exec /bin/sh");
      exit(0);
  }

  printf("\n[ target contains 0x%08x, wanted 0xdea110c8 ]\n", target);
  exit(0);

}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *p;

  background_process(NAME, UID, GID); 
  fd = serve_forever(PORT);
  set_io(fd);

  expand_the_input();

}