OVERVIEW
challenge link - https://play.picoctf.org/practice/challenge/438
difficulty level - easy
SOLUTION
so to solve this ctf we get
- binary file of the program
- source code of the program
- connection to the remote instance
after examining the source code i see that the program allocates two variables input_data
and safe_var
to get the flag we somehow need to change the value of safe_var
from "bico" to something else
snippet of the check_win
function
void check_win() {
if (strcmp(safe_var, "bico") != 0) {
printf("\nYOU WIN\n");
// Print flag
char buf[FLAGSIZE_MAX];
FILE *fd = fopen("flag.txt", "r");
fgets(buf, FLAGSIZE_MAX, fd);
printf("%s\n", buf);
fflush(stdout);
exit(0);
} else {
printf("Looks like everything is still secure!\n");
printf("\nNo flage for you :(\n");
fflush(stdout);
}
}
exploring further i found this
void write_buffer() {
printf("Data for buffer: ");
fflush(stdout);
scanf("%s", input_data);
}
this is a huge security flaw as the input is not sanitized and we can overflow the input_data
buffer allowing us to overwrite the adjacent memory locations including safe_var
to determine the exact string length required to overwrite safe_var
i analyzed the memory layout of the program
Heap State:
+-------------+----------------+
[] Address -> Heap Data
+-------------+----------------+
[] 0x62dd9d4312b0 -> pico
+-------------+----------------+
[*] 0x62dd9d4312d0 -> bico
+-------------+----------------+
these are hex numbers so to find the difference between them we can use a online hex calculator
site i used - https://www.rapidtables.com/calc/math/hex-calculator.html?num1=0x63c3882552d0&op=1&num2=0x63c3882552b0
the difference is 32 bytes so we need to enter something which is atleast 33 bytes in this case i enter
u can enter anything which is more then 32 bytes after doing this when we print flag we get our beloved flag
FLAG
picoCTF{my_first_heap_overflow_c3935a08}
Top comments (0)