When pointers are corrupted from format string vulnerabilities and heap overflows, an adversary can inject arbitrary input into critical parts of a process's memory. One such area for corruption is the procedure link table: a table of function pointers that support dynamically linked library calls. The table is filled in at load time to support run$-$time code relocation and is often left writeable. In this level, you are allowed one arbrtrary write to an arbitrary memory location between $0$x$0$ and $0$xff$000000$ to unlock the program. We have added a call to sleep$()$ that you may hijack. To do so$,$ use objdump" or $"$gdb$"$ to find its PLT entry, the memory location to overwrite and the address of the function to execute instead. We have included the source code for you to peruse. Note that the password will be read in using: scanf$("\%$lx $\%$lx$")$;

The password is a hexadecimal address and a hexadecimal value to place at that address.

Here's the full C code:

char msg$[]=$

$"($From overthewire.org$)$ When pointers are corrupted from format string

$"$

"vulnerabilities and heap overflows, an adversary can inject arbitrary

$"$

"input into critical parts of a process's memory. One such area for

$"$

"corruption is the procedure link table: a table of function pointers

$"$

"that support dynamically linked library calls. The table is filled in at

$"$

"load time to support run$-$time code relocation and is often left writeable.

$"$

$"$In this level, you are allowed one arbrtrary write to an arbitrary memory

$"$

"location between $0$x$0$ and $0$xff$000000$ to unlock the program. We have added

$"$

"a call to sleep$()$ that you may hijack. To do so$,$ use objdump$\backslash "$ or $\backslash "$gdb$\backslash "$

$"$

$"$to find its PLT entry, the memory location to overwrite and the address of

$"$

"the function to execute instead. We have included the source code for you

$"$

$"$to peruse. Note that the password will be read in using:

$"$

$"$ scanf$(\backslash "\%$lx $\backslash \%$lx$\backslash ")$;

$"$;

void print$\_$good$()\{$

printf$("$Good Job.

$")$;

exit$(0)$;

$\}$

void segv$\_$handler$($int sig$)\{$

printf$("$Segmentation fault. Try again.

$")$;

exit$(0)$;

$\}$

void ill$\_$handler$($int sig$)\{$

printf$("$Illegal instruction hit. Try again.

$")$;

exit$(0)$;

$\}$

void print$\_$msg$()\{$

printf$("\%$s$",$msg$)$;

$\}$

int main$()$

$\{$

unsigned long int $*$ip;

unsigned long int i;

signal$($SIGSEGV$,$ segv$\_$handler$)$;

signal$($SIGILL$,$ ill$\_$handler$)$;

print$\_$msg$()$;

printf$("$The password is a hexadecimal address and a hexadecimal value

$")$;

printf$("$to place at that address.

$")$;

printf$("$Enter the password: $")$;

scanf$("\%$lx $\%$lx$",($unsigned long int $*)$ &ip$,$&i$)$;

if $($ip $>($unsigned long int $*)0$xff$000000)\{$

printf$("$Address too high. Try again.

$")$;

exit$(0)$;

$\}$

$*$ip $=$ i;

printf$("$The address: $\%$lx will now contain $\%$lx

$",($unsigned long int$)$ ip$,$i$)$;

sleep$(1)$;

printf$("$Try again.

$")$;

exit$(0)$;

$\}$

Output of objdump $-$D grep print$\_$good:

$0000000058645466$ :

Here's the output of objdump $-$D grep sleep:

$586455$a$5$: e$8$ d$6$ ba db a$7$ call $401080$

$0000000000401080$ :

$401080$: ff $25$ ba $6$f $2458$ jmp $*0$x$58246$fba$(\%$rip$)$ # $58648040$