OVERVIEW
challenge link - https://play.picoctf.org/practice/challenge/438
difficulty level - easy
SOLUTION
so to solve this ctf we get
- binary file of the program
- source code of the program
- connection to the remote instance
after examining the source code i see that the program allocates two variables input_data and safe_var
to get the flag we somehow need to change the value of safe_var from "bico" to something else
snippet of the check_win function
void check_win() { if (strcmp(safe_var, "bico") != 0) { printf("\nYOU WIN\n"); // Print flag char buf[FLAGSIZE_MAX]; FILE *fd = fopen("flag.txt", "r"); fgets(buf, FLAGSIZE_MAX, fd); printf("%s\n", buf); fflush(stdout); exit(0); } else { printf("Looks like everything is still secure!\n"); printf("\nNo flage for you :(\n"); fflush(stdout); } } exploring further i found this
void write_buffer() { printf("Data for buffer: "); fflush(stdout); scanf("%s", input_data); } this is a huge security flaw as the input is not sanitized and we can overflow the input_data buffer allowing us to overwrite the adjacent memory locations including safe_var
to determine the exact string length required to overwrite safe_var i analyzed the memory layout of the program
Heap State:
+-------------+----------------+
[] Address -> Heap Data
+-------------+----------------+
[] 0x62dd9d4312b0 -> pico
+-------------+----------------+
[*] 0x62dd9d4312d0 -> bico
+-------------+----------------+
these are hex numbers so to find the difference between them we can use a online hex calculator
site i used - https://www.rapidtables.com/calc/math/hex-calculator.html?num1=0x63c3882552d0&op=1&num2=0x63c3882552b0
the difference is 32 bytes so we need to enter something which is atleast 33 bytes in this case i enter
u can enter anything which is more then 32 bytes after doing this when we print flag we get our beloved flag
FLAG
picoCTF{my_first_heap_overflow_c3935a08}
Top comments (0)