From 680b753f485e7d834ab3e2d1d317df0b6634b78e Mon Sep 17 00:00:00 2001 From: Maxime Vorwerk Date: Sat, 15 Jun 2024 14:05:24 +0200 Subject: [PATCH] Heap 1 --- heap_1/chall | Bin 0 -> 20664 bytes heap_1/chall.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100755 heap_1/chall create mode 100755 heap_1/chall.c diff --git a/heap_1/chall b/heap_1/chall new file mode 100755 index 0000000000000000000000000000000000000000..ce680619e232c93e397672a39d990da3df1c57b4 GIT binary patch literal 20664 zcmeHPdvsLQx!?0RlgVo`Aq0{Da(F~Q$s~a!gpkNgATZH@5rPRSo=oPEj7(3+`j_G=*PN3D(S>se{6}SnM{7Q(KhAz}$CaG*8QSzH9)r$%wWuhPCr;wA7 zGieKT1W8h)BUK(a}~PZxu&V~sEEr+L8Tvw&7fQ_;+aWR=qRcDm$6L0F5#C+Hw$}7sSZjz&&Pd#Pkrse&%I19CzE#QFq2f) zcMbf+5DAOFOyn@{5cSP84yuU1q$0emG8F8otEmk6Dnh|W{`nrm`8b>VRSi>u( zc2OO4Ol{r1iy05HF~X!j@pF+WtfYVKGl8<2t^Hqq_qw08F0Z)i<{f1{cgZryhioX3 zy*wmHCcXffZ1n!$22RI_p7B55PjsfV2#Pt=DDMKMPJ=fBE1U-31Z=u;yffewo9XN; zXTZM(Tt&`I^8id&j(Y~YZU+478Sootz{h~A$eGCiU}+{uvZi_Wd$d3>>}$eJ)uy<3muLouNI4YqH(R?6AZIhJnHQqV1dYhp9Ehd5oZGlcmx8WM63@U!C1t* ze!Uj+dcpzb-yeiN8Vtt+jEbV;u#RnQYi-`7t#PbNacdm4DSmAY(^@;WX+D3{-y4j@ z{n3tXn?jMWzr)iL@}q{{{zzD~Nz+ZIHKb$Efa6mBN!|>Ecs&t!6IglP%?}3i>53E= zSfVVLO-J{wLjL+^?#AJ4WS`dEnY=#A>(WVa5RQxMpTq|Q-sjXEB`)O`HtIN?D>POz zolV2j&#!Z7xa_;Wh$9dM^#9^Hru2r_N=8(D^Qt>eM;H`F%+!R;JJ z8-dvf`~yVbj|G=};2wU%>OQQzjJdh{jd=CG$otp=JFcIfuoRlqW)CB**bFOM)%0C+{3@V(B9EfJy!jF z_h{1@G%8vAGY4aD2OI^9Kf&#R2T_1~ROunI{=IlHLU9U46pHNRxq`(9$?&wGuwT#Z zYpGuMs*CQC3-0g!Zln9V@0r|&r`=~R#^<7dyF>xj;?0x()V_mF??BBGm+x{9 zH${nckDQO^xeqtJ2w{8`x;5^@&(q2eAshCf?o|EcKQRcUXwOazo)exA!O}fi+hRij zhb|_QXnY0QI#B@G4H>){bMx^=;twn5@p{31xPJT=5{I93UVj<}kC5>K-PnMFP@aj( z>mz97zuY6gJmut#ePXgLfb~(b&tG=>YorM59%hrMKe;m z6GC@{>y&k(i9aF{r{?vp8|Cr1%hl<+*0syk!JAb_!?l~NMw^<5-=_0%;$7g|4%hzX za>iN@Uon0=L_J)6WHh4Oj9M}y$^A!^?OY`zN&Tk+FMLQ9EqWe2?>`rtj*;r8#8dx? zqW{!^(F$8WS-vIuFH9cPO@51JrF18R?g%Kg^+l3Ln+Ea3g2){b=$MZFAdd=L) z^$ovgD7d2oSERPl@)mfYi4VY}ZS>>I&24A|px-v4v~|?b)uOC8Xxqqtqln7{(gTVv zw2fQ@n1H~`{RoHN;mymOQUOwvD{IZRB-y zu?LTL6E(OZPy_S;^}>Y0c8t5%-otBX8r78#0-Pu$`@^;Sbj_W*riwIg;j|p5_)ok^ zC-azoyxrj1B$cDG-?1G#i202+T%cHUhH|n2o?}1ZE@f|2_f+ ztifz~Cz<>n^1H}|e@Z47AkzaC3xqtqj`;pKi?W<*huTgHP^#PS8EDAPUdflE)Oep? z^(LZGKQvh1iu=__fP;N7Ta~lMp>{@tK;sd$ClLtvqYc?B2PHBTNkrAiU|1dSM`IDJ zoT)unF562*_&jls8VRQrwN^GD<_Y+Qbwwzo`uF+6YRDf~QJflzME0tlxY|FY z!X!vbUFpTFR$Eu}tKLXB5cE-#gK-rLY%Ahwk6-PN_=16;-?u8KMpm^20ieEiM2Dyc zlU=6BtX6v?5uX}Lc=xW#sdcC=SftCzX$fPcjhYfwy?v3O*WaKrdT?T!sYiiGRK`JN z3Y+k%KocOWS_%wc3-_q?QGr7+R*oy z8VbS{F^LYv`-0(KH5kLd1QDm09|PrI!g97pRBFGUw}yh&u#)9;`a|AGKOZO>y6PpY zRmF-V1u}Ci)L4W97wd~8LOzNdwMY#_BmJr;j6iw%F`lT}!FC42UIbPY5sXo!#h~I~ z!ASq_0n`tU!9E;H=z|&z2O@l62R#@ri~${R)If}+>Ip^t9v=-22Hoq4@`EoCqh9MP zud;`Z97cz&x|5F31|D^n&lmN_VhB2qJXiA}QdM?&MS7YlL32544e!G;uTP9Ho#ciE zrVaGX0*|*qA zt}MtMv>s#|%QjrLcKK3*$^QoAG1$?|G?`Q|apVV3?!5%MZ1&Bz_F<#3*=BdytS(zS z_q_+I<>-$pY;Lq!IZpju4Ll@p<4raz)kXdO1n^pc$6!xwJ%{`d@Daj!6(ug4I&3;( zG~Q+dYj3t$-B4Mn&xp?;y;{SE}L^W>rTt4a>V@4rcWA8*BJ?` z;(A!YR&Tr$-m_^o0<#gAjlgUKW+N~gf!PTBLq|Y6V6VpomtsZq83nO~svqy&S zy7g2~A6_Dr>Lm4j-U1=ZIb)fS<#&2CC#59y?_5kqNIot;u9M%oxdkJ?aeGGSv6#Wr zD}rKWf~OKeiv^WLxH0C`5t<%SI;#^tCnc5^kSWdA3F{Vs#1Dyv$aYJA`Away9}6SA zKPZNqVvU5$ZsCu06)wv-V=B+(r9%I{kW=jz?fJhV^1JfP`s>8;utm^o1q}$gPtZ>a zdbgk_1pS7fvfMtW&TZYasX<-2t0xhTC)Da{M~$PZqB_CF>RZ>Waa7f;5-<}+-jD~+ zb9fev1@Y)u4Tm%rM>VTOC>3VlqhY}DtaGT%Xc{!@qeKTeWuu8c4`#W>`6@LX7%RYu5 zC8q)ho+a1NVYEAQ4ZDmnp~zx+R>SL5Yd*I&KMdCPE&QxivI^FmHCEfRNo!oo>^W4k zvCeAG<;*&}J&!Z>CH8#ItXJ(e&NQsF7jR}nmEF#n#(H}pXPTV$Ih=92?M0k%wcF=% zrn$>r{1lE$wYvxGrJQMv+sn?7>dO80MZX|s+d=!{*NEAEyM4)d zVy+&xFMEfWYYy4VFA}r+sC|V60We;Fk9}1>F*h8yU(T!8^MHNzTtaR@$80*aD z=$zX~*pt7Isx7J_p*x>9axVWZ=D+j!?|lAS!hcJ%cf+)dO@_jWW)vFA%Zn6Kd33&g z{(|zt1#>L1`SJO88gPv?)-Y3fYthEihTILgMqK<%%K==Gn~UqQxq!76;h1+A$i-Rm zu~JhxnQg?q0;d3hI9FH*ZSz2M9lk{>f>~}Z)r-jG^VX7353#TaVj~>q7z|W-5#D7Lt%G7Nbs{(S z3b4iV!0O)f3J{z5qFQCL+LCp=+S18>R->>ohj83jsxHAnxL{H}*=}m}!bPmQh=S3T zyF0fNRW2f6*D@)xTQG(St|TW>y}@Ak5MM`tph)^~9n4|{EQ2GXn~w|Ghioz|HWnzC zSdM^aKfP&TUF}DI_-fsyr+)Hm=Lhk-ff@dI$y?8DEFRXL`l7L+=Y~IJ-v`jR;44{M z7YxOJx&66C3s-+W>-C2Kn$B4N^ZkbSQ;Pkimmkl0r2qY|12iwc_ZQ1N-z<(^m9^&f zQ(ySfjqZO7@EuQ=a27 z#r~L*ZMjb|SgupDO*aRWxu-0qy;cW6)4aw%D)wPgL&;uMl$<3>9tbzzt*|OW9(!EL z`!>hsSavIR=oCvru^&@xf;Ajd@YxvmeTmx@!cIX843?J^_AE44J$C*vW!W%+7HgB_ zzOUpFL`_3oufxvddFZdzX3DwmFBR5kF?Dt6eP~oH7E?u+vcQ7QS{h9c90(}+7Sjc0 zeMn&z)6oNQRBl@KjFNW(%%t@*Botcu5SA-VCl1_BR;Ss07Sp#6e9K~bl07pl`tqXX z`>C#&V%95_JnBCA^6r~lFDi2_rt_>z$&Xn~pF4o@_zml_nC?D+pWgvqV!FvX$C!m9 z>~Flmdi$`8#o=X@obiWy{Vbg5*Z9_!7{ihPlW(LU;FYmP?~79#S?Eo34BJbt*63ZW zHV}_a3jVNfQt0u-uqy?2{0*>{Axb}8DIKw-Flk7FRKz^{{An7zYEBGH%3RA$`#sUU zm|5_8b)ISHCU)pxD^JKDj(}1J)-Wv+@@bJkAm)!_?+h3X6fe{@ZzPoH53@u#7VHiC zee_y93e~TF37877ZJ5Xa$6~hZw4a%BZU$ z4#Dw8e17jfogc&+h8}D!5cOl5PYnBvV$exRuVcXDtDS5fb^!IV7`7-;fmrfD%oE{6 z%7VuJ1q6`u*Vq6GOxobeOl#kA@B+W_)W?zz2jDKG@H3 z<)91PAtxB5{Z3BUK|$s9BU^0nG6}jt&>ezy3wo=d2L=7Qpce$S;qpwWO3<$fIwoih zy@*D-QanWbK+uaq|De#137RMLmk9crpk?#)a?(zS%0w($iN%gk0s&1IDzR};tE&;a z2z$ec%AR06Rv8}}@W=iJL)`>hzA8hZef<^H*pUdHPl+q_sc@=Rd75H3Suo=0qb+6$ zZ=4S(Bwis$eLjBx3{5*|aAr%pal1lkQZw4>0p@l!F%YbCy>v>?4T$t_8XRxe~bnnI>1Q$Wi$00NsO3H?zIS z`;qTJ{ukuWBh&5h6!H&{UqU{Q{0_1azPZTrkQX7BBUd2PRCGPE3wawdt(@#d9z?zk z`7Y#tL#{?Xf&2*aN#yS!KaNZ@&$Gxhw|xVdW|js-B@5Y(OtaTglKkhdaV zgZvuouLa$WJad8(g7y1krUgA;8ld^Ocpy}T0UeUl* z=YMHWqhY{|aKNb})ILhPkPWPu$>(_v;^*VYRIhxWAn`+BFeOjDACUN$z)aWvnfmn~ zyqqF-VYw_}l1^97x4Hd1mihepGB?^dZpYgd8Gq@uliL?Cc}=Soif+P)+1V3a1feOc-rBHRBqaI)_f!B)97KKSRj5Yh-eCr&pm<-qNT z&rxTZG1xDP^5y?UxKyYw6ZV&6o5^nx`kI z#XY?YKrD_a0;Z0WdyutwzviV~$e43!zKGTviu8CwnlB!S#xzf2Kf^}|1NfN3?{id5 zZ$W#kgPJEA^$cOU7mp6HK-ANZiBO`ye+VvVl15XQDW>u!scBnwxVE)uE!#KKoNM#$ z?XGRDo8XOo_*#owXx*E4Fl}qw)y=Lp?dmOCcD8hA9j@lK7I*5^9=pe&ET3Z z7SZ}VVIOT2$E=X%6k&~KiRn{({yB_3A=E#&m{O*`lYI)LPtUcUSWGm9PZ-l4Cis5% zsV-AC!lzX0_?GyTNMY18>~EI?N*mv&-OaAIna^jZ?%1DN7N7evM{KAc(|FK$RHuEC z!()#>I=~#^NZjwhw9YXQ#a{ksd?*d-Nd)o#BZ58wxtd!m=)B#tU92hj_z{!dEKVkl!L@!RSKt%GMo}Q?GpOo-VGyIZA z$Rz8*M>mou6C4JUa>PqdFQ`Q?JR0tuBEwWXO~o=UJ%5i#>lnDC^XV`7mx%e7q;egD zbd<<8JuQPkYX`U-@>DPUB~=A3iM&rqnWo?A{$0Xf(#&a)yiZ7fn!ly{%lV_Esx%Zd z)4vlqKJ$yn_RIAdNoDeBwUJoae|nWgDTqv6mi}@* zNYYoxC@p2i|7PfDtws9F^%Y4~;VauO?IgVwdRn`YvRuEB)G7Qk+b>`?3Wj1T{pI?R zq-TYptUt5=pB4Vi!mgVtLXtGypJJBje?Ksai7Y>LKNk08xlRWYo-)V(b3oJmRpBS; zaosKTD{uFbeksF$OeiFk?Ue;cS<;gk{&HR=X|H^Y6a~n7WqIGo@R##qN%N(lpqc%D zT=>iJW2!I|v_+hc0_9^Zd7@7uQ~adAeBO|>gN)KrX8k{gF5Un5GTm5G+P{{bWZWe7 zb1?MCE}JR;e~SD+N166gmUJAxc#2H<%jdoE3V=w`PM0QSiN6g69ec8V`5Y$yZ`C=` zesNf*%9G>xW%!bb^q2p)<%LRsNL4yX{mObJ{WCP_{>&*%g=4o6C6RuTTHu`S-|f^b zyM@1OXQscD>G_b#lI@rC?E&GhN<%?qy%H`I^$T+eGwHu0h3E{mm6D`o!e2)xf1eNq zu9poHD(NRJFP*{vLwaF=bTGpqLuB-wY9>a0|0Et*Z<8kmfk>IQPT`-~|Bu$`_T4l1 z%W|#~{<`(#?+x_23F#dFo&1r066u_w{>BZu1-)NLPtsq~Ug4i^L;U-~Uo<17mVOeT zw^NxI>DD&t7Ma)YOxsV*;J;n?XBM96PjW_xdByEbdj0Q-3)ZC&=OD}DSKhy~fn^+G g+|k|43HwP#;hFW*JCy1C7t*Ujq<_tD$Pn580Q66^{r~^~ literal 0 HcmV?d00001 diff --git a/heap_1/chall.c b/heap_1/chall.c new file mode 100755 index 0000000..ec094ba --- /dev/null +++ b/heap_1/chall.c @@ -0,0 +1,116 @@ +#include +#include +#include + +#define FLAGSIZE_MAX 64 +// amount of memory allocated for input_data +#define INPUT_DATA_SIZE 5 +// amount of memory allocated for safe_var +#define SAFE_VAR_SIZE 5 + +int num_allocs; +char *safe_var; +char *input_data; + +void check_win() { + if (!strcmp(safe_var, "pico")) { + printf("\nYOU WIN\n"); + + // Print flag + char buf[FLAGSIZE_MAX]; + FILE *fd = fopen("flag.txt", "r"); + fgets(buf, FLAGSIZE_MAX, fd); + printf("%s\n", buf); + fflush(stdout); + + exit(0); + } else { + printf("Looks like everything is still secure!\n"); + printf("\nNo flage for you :(\n"); + fflush(stdout); + } +} + +void print_menu() { + printf("\n1. Print Heap:\t\t(print the current state of the heap)" + "\n2. Write to buffer:\t(write to your own personal block of data " + "on the heap)" + "\n3. Print safe_var:\t(I'll even let you look at my variable on " + "the heap, " + "I'm confident it can't be modified)" + "\n4. Print Flag:\t\t(Try to print the flag, good luck)" + "\n5. Exit\n\nEnter your choice: "); + fflush(stdout); +} + +void init() { + printf("\nWelcome to heap1!\n"); + printf( + "I put my data on the heap so it should be safe from any tampering.\n"); + printf("Since my data isn't on the stack I'll even let you write whatever " + "info you want to the heap, I already took care of using malloc for " + "you.\n\n"); + fflush(stdout); + input_data = malloc(INPUT_DATA_SIZE); + strncpy(input_data, "pico", INPUT_DATA_SIZE); + safe_var = malloc(SAFE_VAR_SIZE); + strncpy(safe_var, "bico", SAFE_VAR_SIZE); +} + +void write_buffer() { + printf("Data for buffer: "); + fflush(stdout); + scanf("%s", input_data); +} + +void print_heap() { + printf("Heap State:\n"); + printf("+-------------+----------------+\n"); + printf("[*] Address -> Heap Data \n"); + printf("+-------------+----------------+\n"); + printf("[*] %p -> %s\n", input_data, input_data); + printf("+-------------+----------------+\n"); + printf("[*] %p -> %s\n", safe_var, safe_var); + printf("+-------------+----------------+\n"); + fflush(stdout); +} + +int main(void) { + + // Setup + init(); + print_heap(); + + int choice; + + while (1) { + print_menu(); + if (scanf("%d", &choice) != 1) exit(0); + + switch (choice) { + case 1: + // print heap + print_heap(); + break; + case 2: + write_buffer(); + break; + case 3: + // print safe_var + printf("\n\nTake a look at my variable: safe_var = %s\n\n", + safe_var); + fflush(stdout); + break; + case 4: + // Check for win condition + check_win(); + break; + case 5: + // exit + return 0; + default: + printf("Invalid choice\n"); + fflush(stdout); + } + } +}