pwn/heap_0
This commit is contained in:
parent
8c11513945
commit
955da6e698
GPG Key ID:
9F2F7D8250F35146
Binary file not shown.
|
|
@ -0,0 +1,127 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#define FLAGSIZE_MAX 64
|
||||||
|
// amount of memory allocated for input_data
|
||||||
|
#define INPUT_DATA_SIZE 5
|
||||||
|
// amount of memory allocated for safe_var
|
||||||
|
#define SAFE_VAR_SIZE 5
|
||||||
|
|
||||||
|
int num_allocs;
|
||||||
|
char *safe_var;
|
||||||
|
char *input_data;
|
||||||
|
|
||||||
|
void check_win() {
|
||||||
|
if (strcmp(safe_var, "bico") != 0) {
|
||||||
|
printf("\nYOU WIN\n");
|
||||||
|
|
||||||
|
// Print flag
|
||||||
|
char buf[FLAGSIZE_MAX];
|
||||||
|
FILE *fd = fopen("flag.txt", "r");
|
||||||
|
fgets(buf, FLAGSIZE_MAX, fd);
|
||||||
|
printf("%s\n", buf);
|
||||||
|
fflush(stdout);
|
||||||
|
|
||||||
|
exit(0);
|
||||||
|
} else {
|
||||||
|
printf("Looks like everything is still secure!\n");
|
||||||
|
printf("\nNo flage for you :(\n");
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void print_menu() {
|
||||||
|
printf("\n1. Print Heap:\t\t(print the current state of the heap)"
|
||||||
|
"\n2. Write to buffer:\t(write to your own personal block of data "
|
||||||
|
"on the heap)"
|
||||||
|
"\n3. Print safe_var:\t(I'll even let you look at my variable on "
|
||||||
|
"the heap, "
|
||||||
|
"I'm confident it can't be modified)"
|
||||||
|
"\n4. Print Flag:\t\t(Try to print the flag, good luck)"
|
||||||
|
"\n5. Exit\n\nEnter your choice: ");
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
|
||||||
|
void init() {
|
||||||
|
printf("\nWelcome to heap0!\n");
|
||||||
|
printf(
|
||||||
|
"I put my data on the heap so it should be safe from any tampering.\n");
|
||||||
|
printf("Since my data isn't on the stack I'll even let you write whatever "
|
||||||
|
"info you want to the heap, I already took care of using malloc for "
|
||||||
|
"you.\n\n");
|
||||||
|
fflush(stdout);
|
||||||
|
input_data = malloc(INPUT_DATA_SIZE);
|
||||||
|
strncpy(input_data, "pico", INPUT_DATA_SIZE);
|
||||||
|
safe_var = malloc(SAFE_VAR_SIZE);
|
||||||
|
strncpy(safe_var, "bico", SAFE_VAR_SIZE);
|
||||||
|
}
|
||||||
|
|
||||||
|
void write_buffer() {
|
||||||
|
printf("Data for buffer: ");
|
||||||
|
fflush(stdout);
|
||||||
|
scanf("%s", input_data);
|
||||||
|
}
|
||||||
|
|
||||||
|
void print_heap() {
|
||||||
|
printf("Heap State:\n");
|
||||||
|
printf("+-------------+----------------+\n");
|
||||||
|
printf("[*] Address -> Heap Data \n");
|
||||||
|
printf("+-------------+----------------+\n");
|
||||||
|
printf("[*] %p -> %s\n", input_data, input_data);
|
||||||
|
printf("+-------------+----------------+\n");
|
||||||
|
printf("[*] %p -> %s\n", safe_var, safe_var);
|
||||||
|
printf("+-------------+----------------+\n");
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(void) {
|
||||||
|
|
||||||
|
// Setup
|
||||||
|
init();
|
||||||
|
print_heap();
|
||||||
|
|
||||||
|
int choice;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
print_menu();
|
||||||
|
int rval = scanf("%d", &choice);
|
||||||
|
if (rval == EOF){
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
if (rval != 1) {
|
||||||
|
//printf("Invalid input. Please enter a valid choice.\n");
|
||||||
|
//fflush(stdout);
|
||||||
|
// Clear input buffer
|
||||||
|
//while (getchar() != '\n');
|
||||||
|
//continue;
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (choice) {
|
||||||
|
case 1:
|
||||||
|
// print heap
|
||||||
|
print_heap();
|
||||||
|
break;
|
||||||
|
case 2:
|
||||||
|
write_buffer();
|
||||||
|
break;
|
||||||
|
case 3:
|
||||||
|
// print safe_var
|
||||||
|
printf("\n\nTake a look at my variable: safe_var = %s\n\n",
|
||||||
|
safe_var);
|
||||||
|
fflush(stdout);
|
||||||
|
break;
|
||||||
|
case 4:
|
||||||
|
// Check for win condition
|
||||||
|
check_win();
|
||||||
|
break;
|
||||||
|
case 5:
|
||||||
|
// exit
|
||||||
|
return 0;
|
||||||
|
default:
|
||||||
|
printf("Invalid choice\n");
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,34 @@
|
||||||
|
$ nc tethys.picoctf.net 62334
|
||||||
|
|
||||||
|
Welcome to heap0!
|
||||||
|
I put my data on the heap so it should be safe from any tampering.
|
||||||
|
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.
|
||||||
|
|
||||||
|
Heap State:
|
||||||
|
+-------------+----------------+
|
||||||
|
[*] Address -> Heap Data
|
||||||
|
+-------------+----------------+
|
||||||
|
[*] 0x5fa8485542b0 -> pico
|
||||||
|
+-------------+----------------+
|
||||||
|
[*] 0x5fa8485542d0 -> bico
|
||||||
|
+-------------+----------------+
|
||||||
|
|
||||||
|
1. Print Heap: (print the current state of the heap)
|
||||||
|
2. Write to buffer: (write to your own personal block of data on the heap)
|
||||||
|
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
|
||||||
|
4. Print Flag: (Try to print the flag, good luck)
|
||||||
|
5. Exit
|
||||||
|
|
||||||
|
Enter your choice: 2
|
||||||
|
Data for buffer: picopicopicopicopicopicopicopicopico
|
||||||
|
|
||||||
|
1. Print Heap: (print the current state of the heap)
|
||||||
|
2. Write to buffer: (write to your own personal block of data on the heap)
|
||||||
|
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
|
||||||
|
4. Print Flag: (Try to print the flag, good luck)
|
||||||
|
5. Exit
|
||||||
|
|
||||||
|
Enter your choice: 4
|
||||||
|
|
||||||
|
YOU WIN
|
||||||
|
picoCTF{my_first_heap_overflow_e4c92a78}
|
||||||
Loading…
Reference in New Issue