heap 0 (picoCTF 10)

Challenge Author: ABRXS, PR10R1TYQ

Difficulty: Easy

Description

Are overflows just a stack concern?

Process / Notes

  1. wget the files
  2. I don’t know any C, so this is going to be challenging
  3. I checked the binary, but didn’t find anything that seemed useful. I even tried a hex dump and nothing seemed useful.
  4. Played around with the challenge instance, initialized with the net cat command nc
    • Allowed us to see the status of the heap: by pressing 1
    • Allowed us to write to the heap: by pressing 2
    • Allowed us to see the ‘safe variable’ which they gave to use as safe_var = bico: by pressing 3
    • Allowed us to attempt to retrieve the flag: by pressing 4
    • Exits: by pressing 5
  5. After poking around a little, I opened up the source code
  6. I could see that there was a section at the top that defined the sizes for the flag, input data, and safe variable. In the check win section, it looks like it’s saying that if the safe_var is not bico, then you win and the system will give you the flag when you press 4; but we don’t have access to the safe_var directly
  7. The hint reads “What part of the heap do you have control over and how far is it from the safe_var?”
  8. We have control over the input. I tried entering something with 2, and it look like it replaced the variable that read pico with my input. Because I saw the “INPUT_DATA_SIZE” was set to 5, I decided to try and make something that was 5 characters long. Doing so pushed the input outside the bounds of the nice box they displayed when you tnered 1, but nothing else
  9. Then I looked at the hint again and saw that it said “how far away is it from safe_var?” Looking back at the source code I saw that in the //PRINT FLAG section there was a char buf[FLAG_SIZE_MAX], which seemed to be the key.
  10. At the top, the FLAG_SIZE_MAX was set to 64. This made me think that there were 64 spaces between the input data and the safe_var, which the author was sure “couldn’t be changed.”
  11. To solve, I entered more than 64 characters as the input, then viewed the heap status. This showed that the top variable, the input, extended way outside the display box and then actually started pushing down into the safe_var box, effectively changing the safe_var value to something other than ‘bico’
  12. Entering 4 now produced the win and the flag

17 minutes 0 seconds to complete

Hints

“What part of the heap do you have control over and how far is it from the safe_var?”

Core Lessons

  1. Understanding what the ‘heap’ and ‘stack’ are
  2. Understanding what the maximum allowable input length was
  3. Understanding how to push beyond that in order to change the next value