DEV Community

notdonk
notdonk

Posted on

[picoCTF] heap 0

OVERVIEW

challenge link - https://play.picoctf.org/practice/challenge/438
difficulty level - easy


SOLUTION

so to solve this ctf we get

  • binary file of the program
  • source code of the program
  • connection to the remote instance

after examining the source code i see that the program allocates two variables input_data and safe_var

to get the flag we somehow need to change the value of safe_var from "bico" to something else
snippet of the check_win function

void check_win() {
    if (strcmp(safe_var, "bico") != 0) {
        printf("\nYOU WIN\n");

        // Print flag
        char buf[FLAGSIZE_MAX];
        FILE *fd = fopen("flag.txt", "r");
        fgets(buf, FLAGSIZE_MAX, fd);
        printf("%s\n", buf);
        fflush(stdout);

        exit(0);
    } else {
        printf("Looks like everything is still secure!\n");
        printf("\nNo flage for you :(\n");
        fflush(stdout);
    }
}
Enter fullscreen mode Exit fullscreen mode

exploring further i found this

void write_buffer() {
    printf("Data for buffer: ");
    fflush(stdout);
    scanf("%s", input_data);
}
Enter fullscreen mode Exit fullscreen mode

this is a huge security flaw as the input is not sanitized and we can overflow the input_data buffer allowing us to overwrite the adjacent memory locations including safe_var

to determine the exact string length required to overwrite safe_var i analyzed the memory layout of the program

Heap State:
+-------------+----------------+
[] Address -> Heap Data
+-------------+----------------+
[
] 0x62dd9d4312b0 -> pico
+-------------+----------------+
[*] 0x62dd9d4312d0 -> bico
+-------------+----------------+

these are hex numbers so to find the difference between them we can use a online hex calculator

site i used - https://www.rapidtables.com/calc/math/hex-calculator.html?num1=0x63c3882552d0&op=1&num2=0x63c3882552b0

the difference is 32 bytes so we need to enter something which is atleast 33 bytes in this case i enter

u can enter anything which is more then 32 bytes after doing this when we print flag we get our beloved flag


FLAG

picoCTF{my_first_heap_overflow_c3935a08}

Top comments (0)