Skip to content

rootmytoaster/Binary-Exploitation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
Write-Up-Images
Write-Up-Images
 
 
chall
chall
 
 
chall.c
chall.c
 
 
readme.md
readme.md
 
 

Repository files navigation

Buffer Overflow Exploit Write-Up - heap 0

Initial Analysis

When running the binary, selecting Option 2 allows manipulation of a buffer. This suggests a potential vulnerability for a buffer overflow attack.

Option 2 Buffer Manipulation

Attempting the Overflow

We attempted to overflow the buffer by providing excessive input, expecting to disrupt the program's behavior.

Buffer Overflow Attempt

Surprisingly, nothing strange happened. The program appeared to handle the input without crashing and runs as normal.

No Visible Effect

Source Code Review

To understand why the overflow attempt failed, we examined the source code, focusing on the check_win() function. The function checks if safe_var is not equal to "bico". If it does not, the program retrieves a flag, indicating safe_var is critical to exploiting the vulnerability.

Source Code check_win()

Core Flaws

  1. Memory Layout Flaw: The source code reveals that safe_var is allocated immediately after the input buffer in memory. This contiguous allocation means that overflowing the input buffer could overwrite safe_var, allowing us to control it. This is a classic buffer overflow vulnerability, as there’s no boundary checking.

  2. Unbounded Input Flaw: The write_buffer() function uses scanf without specifying a character limit. This allows an attacker to input an arbitrarily long string, exceeding the buffer capacity and overwriting safe_var.

scanf Usage

Exploit Strategy

The address table below shows the memory addresses of input_data and safe_var. There’s a 0x20 (32-byte) offset between them. Since safe_var is immediately after input_data, the 33rd character of the input will overwrite safe_var. By inputting 32 characters (to fill input_data) plus any additional characters, we can set safe_var to "pico" or any desired value to manipulate the program’s logic and obtain the flag.

Address Table

Crafting the Exploit

To overwrite safe_var, we input exactly 32 characters followed by the desired value for safe_var. For fun, we can set safe_var to a custom message, demonstrating full control over the variable.

Example Input:

^[[A^[[D^[[C^[[D^[[C^[[A^[[D^[[AAnyMessageYouWant

This input fills the 32-byte buffer and overwrites safe_var with "AnyMessageYouWant", showcasing the vulnerability’s potential.

New safe_var

Address Table

Conclusion

This binary is vulnerable due to poor memory management and lack of input validation. By exploiting the buffer overflow, we can manipulate safe_var to bypass the check_win() condition and retrieve the flag.

Successful Exploit

  • Write-up by Debug

About

Buffer Overflow - Heap 0 write-up

Topics

c reverse-engineering ctf-writeups ctf binary-exploitation picoctf binary-hacking

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages