Skip to main content

heap 0 - PicoGym

 This challenge, while technically a heap exploit is relatively easy. It is a simple buffer overflow in which the buffer that is supposedly "safe" is located directly after a user controlled buffer in the heap. Just like with a stack overflow, we can write past the bounds of our buffer and overwrite the "safe" buffer.

The files and other items for this challenge can be found at the PicoGym under the challenge named "heap 0". I started as I always do by running "checksec" on the binary (pwntools required).

 

Fortunately, the debugging info is left in which is convenient, but we have access to the source code anyway so its not super helpful. Unfortunately, the stack is not executable, and addresses are randomized, since we know from the name and description that this is a heap overflow challenge though that is not really too surprising.

While I can't really capture it in blog form, my next step was to read through and understand every line of the source code. I tend to skimp on this a lot of the time and it always results in the challenge taking longer than it would have if I would have just read the thing. After reading the source code, I ran a few "test laps" to both test my understanding and to see how everything works in practice. The big takeaway is that malloc is used twice, both times with a size of '5' to store the protected variable and the user input variable.

Next I created my first version of the exploit, which was set up to help me explore the heap and be sure everything was where I expected it to be.

 I let the exploit run, and within GDB explored around the heap. I could see from the executable output, that the malloc calls had returned addresses ending in '16b0' and '16d0'. In gdb, I used the examine command to view the data in place on the heap.

  

 Note that this printout was from before I sent the AAAA string to the binary.

In the red boxes above we can see both addresses and the strings they contain. There is the 0x21 between the payloads. This is metadata and flags which help to describe the memory allocation in the linked list that makes up the heap. For this challenge, we can overwrite it without issue.

Since we now know how our exploit should work, instead of sending four 'A' characters, we will send enough (33) to overflow the malloc chunk and overwrite the first character of the "safe" variable. That can be seen in the exploit below.

When executed, this successfully overwrites the file and gives my my local dummy flag. To get the real one, just use a remote connection in pwn tools and send the exploit to the server hosting the code.

Comments

Post a Comment

Popular posts from this blog

PICOGYM - Here's a LIBC

This challenge is brought to us courtesy of picoGym, which is picoCTF's year round training platform.  The challenge provides 3 files: libc.so.6, Makefile, and vuln.  All three files, and the code used in this walk-through, can be found in my GitHub repo at  https://github.com/ChrisCHumphreys/picolab/tree/main/heres_a_lib_c .  Also, a huge thanks to guyinatuxedo, whose resources at https://guyinatuxedo.github.io/index.html were invaluable in helping me to learn this stuff. On my system at least, the executable would not work due to my having a different libc in use than the one the program was originally compiled with.  I fixed this by running pwninit on the file and generating a version of vuln that uses the libc provided with the challenge. The name of this new modified file is vuln_patched.  pwninit can be found at  https://github.com/io12/pwninit . First, running checksec on this executable shows that very few protections are enabled, but that the...
Post a Comment
Read more

KnightCTF 2022 - Whats your name 2

This is my write up of the whats_your_name_2 challenge from KnightCTF 2022.  The files needed for this writeup can be found at https://github.com/ChrisCHumphreys/knightctf22/tree/main/whats_your_name_2 . First, by examining the executable with checksec from pwn tools we can see that we have a 64 bit binary with very few protections built in. Running the program shows that it simply asks us to enter a username, and then the program exits.   Next, examining the de compilation in Ghidra, we can see that there is an fgets call that will read in a max of 200 bytes to a char buffer named input_buf.  No real problems here are there is more than enough room for 200 characters in the buffer.   Following this, we can see that there is a call to strcpy which will copy the string in input_buf to the local_58 buffer.  This is where the problem is.  strcpy does not check to ensure that the string being copied will fit into the buffer being copied to.  It just kee...
Post a Comment
Read more