PlaidCTF 2014 - ezhp Writeup
In this challenge a binary was given. Basically it was note manager where you can add,change,remove or print notes. It has its own heap allocator that manages the allocation and freeing of variables. What is interesting is the how it frees the spaces:
int __cdecl sub_8048708(int a1)
{
int result; // eax@8
int v2; // [sp+4h] [bp-Ch]@2
int v3; // [sp+8h] [bp-8h]@2
int v4; // [sp+Ch] [bp-4h]@2
if ( a1 )
{
v2 = a1 - 12;
v3 = *(_DWORD *)(a1 - 12 + 8);
v4 = *(_DWORD *)(a1 - 12 + 4);
if ( v3 )
*(_DWORD *)(v3 + 4) = v4;
if ( v4 )
*(_DWORD *)(v4 + 8) = v3;
*(_DWORD *)(v2 + 4) = *(_DWORD *)(dword_804B060 + 4);
if ( *(_DWORD *)(dword_804B060 + 4) )
*(_DWORD *)(*(_DWORD *)(dword_804B060 + 4) + 8) = v2;
*(_DWORD *)(dword_804B060 + 4) = v2;
result = a1 - 12;
*(_DWORD *)v2 &= 0xFFFFFFFEu;
}
return result;
}
Here we can clearly see an arbitrary write to memory using v3 and v4 (prev, next). Having this knowledge we can now overwrite an address in GOT table like the exit() and then trigger it by submitting an invalid option.
Here is the code:
Flag: shitty_heap_allocators_are_shitty
Razor4x