Protostar/Format 4

If you get stuck, you can watch the solution and explanation here:

In this episode we combine the last two videos. Format String + overwriting an entry of the Global Offset Table to solve format4 from

%p format4 looks at one method of redirecting execution in a process.


objdump -TR is your friend
This level is at /opt/protostar/bin/format4


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
  printf("code execution redirected! you win\n");

void vuln()
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);



int main(int argc, char **argv)

See also

Solving format1 from with a simple Format String vulnerability, exploited with %n.

In this video we will introduce how shared libraries like libc are used by C programs. Specifically we will look at the Global Offset Table and the Procedure Linkage Table.

This is a mirror. Copyright and original can be found here: