pwn/heap_0
This commit is contained in:
parent
8c11513945
commit
955da6e698
Binary file not shown.
|
@ -0,0 +1,127 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#define FLAGSIZE_MAX 64
|
||||
// amount of memory allocated for input_data
|
||||
#define INPUT_DATA_SIZE 5
|
||||
// amount of memory allocated for safe_var
|
||||
#define SAFE_VAR_SIZE 5
|
||||
|
||||
int num_allocs;
|
||||
char *safe_var;
|
||||
char *input_data;
|
||||
|
||||
void check_win() {
|
||||
if (strcmp(safe_var, "bico") != 0) {
|
||||
printf("\nYOU WIN\n");
|
||||
|
||||
// Print flag
|
||||
char buf[FLAGSIZE_MAX];
|
||||
FILE *fd = fopen("flag.txt", "r");
|
||||
fgets(buf, FLAGSIZE_MAX, fd);
|
||||
printf("%s\n", buf);
|
||||
fflush(stdout);
|
||||
|
||||
exit(0);
|
||||
} else {
|
||||
printf("Looks like everything is still secure!\n");
|
||||
printf("\nNo flage for you :(\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
}
|
||||
|
||||
void print_menu() {
|
||||
printf("\n1. Print Heap:\t\t(print the current state of the heap)"
|
||||
"\n2. Write to buffer:\t(write to your own personal block of data "
|
||||
"on the heap)"
|
||||
"\n3. Print safe_var:\t(I'll even let you look at my variable on "
|
||||
"the heap, "
|
||||
"I'm confident it can't be modified)"
|
||||
"\n4. Print Flag:\t\t(Try to print the flag, good luck)"
|
||||
"\n5. Exit\n\nEnter your choice: ");
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
void init() {
|
||||
printf("\nWelcome to heap0!\n");
|
||||
printf(
|
||||
"I put my data on the heap so it should be safe from any tampering.\n");
|
||||
printf("Since my data isn't on the stack I'll even let you write whatever "
|
||||
"info you want to the heap, I already took care of using malloc for "
|
||||
"you.\n\n");
|
||||
fflush(stdout);
|
||||
input_data = malloc(INPUT_DATA_SIZE);
|
||||
strncpy(input_data, "pico", INPUT_DATA_SIZE);
|
||||
safe_var = malloc(SAFE_VAR_SIZE);
|
||||
strncpy(safe_var, "bico", SAFE_VAR_SIZE);
|
||||
}
|
||||
|
||||
void write_buffer() {
|
||||
printf("Data for buffer: ");
|
||||
fflush(stdout);
|
||||
scanf("%s", input_data);
|
||||
}
|
||||
|
||||
void print_heap() {
|
||||
printf("Heap State:\n");
|
||||
printf("+-------------+----------------+\n");
|
||||
printf("[*] Address -> Heap Data \n");
|
||||
printf("+-------------+----------------+\n");
|
||||
printf("[*] %p -> %s\n", input_data, input_data);
|
||||
printf("+-------------+----------------+\n");
|
||||
printf("[*] %p -> %s\n", safe_var, safe_var);
|
||||
printf("+-------------+----------------+\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
|
||||
// Setup
|
||||
init();
|
||||
print_heap();
|
||||
|
||||
int choice;
|
||||
|
||||
while (1) {
|
||||
print_menu();
|
||||
int rval = scanf("%d", &choice);
|
||||
if (rval == EOF){
|
||||
exit(0);
|
||||
}
|
||||
if (rval != 1) {
|
||||
//printf("Invalid input. Please enter a valid choice.\n");
|
||||
//fflush(stdout);
|
||||
// Clear input buffer
|
||||
//while (getchar() != '\n');
|
||||
//continue;
|
||||
exit(0);
|
||||
}
|
||||
|
||||
switch (choice) {
|
||||
case 1:
|
||||
// print heap
|
||||
print_heap();
|
||||
break;
|
||||
case 2:
|
||||
write_buffer();
|
||||
break;
|
||||
case 3:
|
||||
// print safe_var
|
||||
printf("\n\nTake a look at my variable: safe_var = %s\n\n",
|
||||
safe_var);
|
||||
fflush(stdout);
|
||||
break;
|
||||
case 4:
|
||||
// Check for win condition
|
||||
check_win();
|
||||
break;
|
||||
case 5:
|
||||
// exit
|
||||
return 0;
|
||||
default:
|
||||
printf("Invalid choice\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
$ nc tethys.picoctf.net 62334
|
||||
|
||||
Welcome to heap0!
|
||||
I put my data on the heap so it should be safe from any tampering.
|
||||
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.
|
||||
|
||||
Heap State:
|
||||
+-------------+----------------+
|
||||
[*] Address -> Heap Data
|
||||
+-------------+----------------+
|
||||
[*] 0x5fa8485542b0 -> pico
|
||||
+-------------+----------------+
|
||||
[*] 0x5fa8485542d0 -> bico
|
||||
+-------------+----------------+
|
||||
|
||||
1. Print Heap: (print the current state of the heap)
|
||||
2. Write to buffer: (write to your own personal block of data on the heap)
|
||||
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
|
||||
4. Print Flag: (Try to print the flag, good luck)
|
||||
5. Exit
|
||||
|
||||
Enter your choice: 2
|
||||
Data for buffer: picopicopicopicopicopicopicopicopico
|
||||
|
||||
1. Print Heap: (print the current state of the heap)
|
||||
2. Write to buffer: (write to your own personal block of data on the heap)
|
||||
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
|
||||
4. Print Flag: (Try to print the flag, good luck)
|
||||
5. Exit
|
||||
|
||||
Enter your choice: 4
|
||||
|
||||
YOU WIN
|
||||
picoCTF{my_first_heap_overflow_e4c92a78}
|
Loading…
Reference in New Issue