I have read so many writeups and I feel like I have a good grasp of how this vulnerability works, but it seems like something in this challenge must have changed because when you enter addresses in this x.. format it converts every character to hex including the slashes. I have copied and pasted strings from writeups and they just plain do not work. The only way I could get one of the addresses onto the stack is padding it out to an empty stack frame but that's as far as I could get because you can't pass null characters
Printf stops reading when it gets to a null byte no matter how it's entered. It will only read up to the first address and anything afterwards is ignored because of the 0s
@@tomk8312 printf does stop at the null byte, but you should still have the bytes on the stack to access with the % operators as long as they all appear before the null bytes. You'll note that I put %22$lx before the addresses.
been fighting with this one for a day now. still no closer to understanding how this works. - I thought I had a pretty good grasp on this, but this pwntools is like some kind of secret code that was intended to be undecipherable.
That's really helpful, your writeups really saves my day!
You're a real bro, I've watched so many of your writeups. Got stuck on this one. Thanks for your help!
Glad to help. Thanks for the kind words!
Hey Martin, great video. Just one question:
Why do we pick up the 20 and 0x404062?
Thanks!
To write both halves of the number, we write to 0x404060 and 0x404062. 20 represents how far we have to walk up the stack to find our address.
@@carlislemc Got it, thanks!
I have read so many writeups and I feel like I have a good grasp of how this vulnerability works, but it seems like something in this challenge must have changed because when you enter addresses in this x.. format it converts every character to hex including the slashes. I have copied and pasted strings from writeups and they just plain do not work. The only way I could get one of the addresses onto the stack is padding it out to an empty stack frame but that's as far as I could get because you can't pass null characters
At what point in the video does the challenge work differently for you?
Printf stops reading when it gets to a null byte no matter how it's entered. It will only read up to the first address and anything afterwards is ignored because of the 0s
@@tomk8312 printf does stop at the null byte, but you should still have the bytes on the stack to access with the % operators as long as they all appear before the null bytes. You'll note that I put %22$lx before the addresses.
Sir I can't understand the stuffs 🥹🥺🥺
i actually can't understand format string 2 and 3 challenges. please tell me what and where i should learn..
Perhaps you should read something like: axcheron.github.io/exploit-101-format-strings/
been fighting with this one for a day now. still no closer to understanding how this works. - I thought I had a pretty good grasp on this, but this pwntools is like some kind of secret code that was intended to be undecipherable.