Description
Are overflows just a stack concern?
Setup
Local + remote
Download the heap0 binary and source, then review how the write option copies input onto the heap.
Connect to the live challenge instance at tethys.picoctf.net <PORT_FROM_INSTANCE>.
wget https://artifacts.picoctf.net/c_titan/31/heap0 && \
chmod +x heap0 && \
wget https://artifacts.picoctf.net/c_titan/31/heap0.c && \
nc tethys.picoctf.net <PORT_FROM_INSTANCE>
Menu overview
- 1. Print heap (shows your buffer).
- 2. Write to buffer (overflow opportunity).
- 3. Print safe_var (the target we'll zero out).
- 4. Print flag (only works once safe_var == 0).
Solution
This is the first heap exploitation challenge. Once you master basic overflow-to-zero here, continue to heap 1 (overwriting with a specific string), heap 2 (function pointer hijacking), and heap 3 (use-after-free).
- Step 1Measure the gapReading heap0.c reveals your buffer is allocated just before safe_var, with 32 bytes between them. Overflowing with exactly 32 characters will zero safe_var.
- Step 2Trigger the overflowUse option 2 and enter 32 characters (e.g., A repeated 32 times). The trailing null terminator from fgets lands in safe_var, clearing it.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- Step 3Print the flagNow that safe_var is zeroed, option 4 succeeds. The program checks the guard variable before revealing the flag.nc tethys.picoctf.net <PORT_FROM_INSTANCE>Write 32 bytes via option 2, then select option 4 to read the flag.
Flag
picoCTF{my_first_heap_overflow_0c47...}
Zeroing safe_var unlocks option 4, printing the flag above.