search
My ChannelGitHub

๐Ÿ‘Notes - TFCCTF2023

hashtag

hashtag
Source

file-download
29KB
notes
arrow-up-right-from-squareOpen
file-download
2KB
notes.c
arrow-up-right-from-squareOpen

hashtag
Analysis

ฤแปc qua source code 1 hแป“i tรดi thแบฅy ฤ‘ฦฐแปฃc 1 phแบงn khรดng kiแปƒm tra input:

#define CONTENT_MAX (long long)256   // <--- here
...
note_t* add() {
    note_t* note = malloc(sizeof(note_t));
    note->content = malloc(sizeof(CONTENT_MAX));  //<--- here
    printf("content> \n");
    fgets(note->content, sizeof(CONTENT_MAX), stdin);
    return note;
}
void edit(note_t* note) {
    printf("content> \n");
    fgets(note->content, CONTENT_MAX, stdin);  // <---- here
}

Tรดi ฤ‘oรกn bร i nร y sแบฝ ghi ฤ‘รจ vร o nhแปฏng phแบงn dแปฏ liแป‡u nhแบฃy cแบฃm trรชn bแป™ nhแป› heap vร  cรณ thแปƒ chแป‰nh sแปญa tรนy theo รฝ muแป‘n.

hashtag
Set break point tแบกi add() vร  edit()

ฤรบng nhฦฐ tรดi dแปฑ ฤ‘oรกn ban ฤ‘แบงu

hashtag
Nhฦฐng lร m sao ฤ‘แปƒ win ฤ‘ฦฐแปฃc bร i nร y?

Cรกch duy nhแบฅt lร  GOT overrite thแบฑng exit@plt ---> win()

hashtag
Test:

ban ฤ‘แบงu tรดi gแปญi nhฦฐ bรฌnh thฦฐแปng 2 index 0 vร  1 sau ฤ‘รณ tรดi sแปญa vร  gแปญi lแบกi 1 ฤ‘oแบกn dแปฏ liแป‡u lรชn index 0 trong heap

Sau khi tรดi gแปญi tiแบฟp lแบงn nแปฏa แปŸ index 1 thรฌ nhแบญn ฤ‘ฦฐแปฃc lแป—i trรชn. Thay thแบฟ dรฒng chแปฏ "Kinabler" --> thร nh got cแปงa exit vร  sau ฤ‘รณ edit lแบกi แปŸ index1 vร  gแปญi lรชn ฤ‘แป‹a chแป‰ cแปงa hร m win. Tรดi ฤ‘ฦฐแปฃc kแบฟt quแบฃ nhฦฐ sau:

hashtag
Full payload:

PreviousLeek - AmstromCTF 2023NextFUSec - Brainf***

Last updated