Hacking Series Part 14

Challenge: messy-malloc

Category: binary exploitation

We are given a binary and it’s source code called “auth” and “auth.c”. By looking at auth.c, you can tell that this program is essentially a simple authentication program. There are a few important features of the source code that show us how everything works, which are the functions , , , as well as the struct that looks like the following.

In order to get the flag, a user needs to have the correct access code. If you convert the access code used in the source code from hex to ASCII, the access code becomes .

If you look at , you will see that when you enter a username, only the part of the struct is initialized. That means that the other two values ( and ) are still filled with random values from the previous memory allocation and are never zeroed out.

As a result, it would be possible to initialize an entire user struct with the correct access code in three steps. The first is to with a crafted user struct containing in the middle with surrounding padding (since is the second value in the struct). This can look something like the following.

aaaaaaaaROOT_ACCESS_CODEaaaaaaaa

Next, you use in order to free the allocated memory, which leaves an entire struct in freed memory. Finally, you login again with the same length of the previous username so that returns the same pointer to the recently freed memory (in this case, our crafted struct). The username we provide when logging in a second time should not exceed the first set of padding characters, so it is safer to just login with a single character or two.

After that you can print the flag since the correct access code should be leaked to the value of the struct. Using Python, I crafted the previous steps into an output and piped this to the service. The length of the username turned out to be 32 characters long, so in both attempts, the length should be 32.

( python3 -c “print(‘login\n32\naaaaaaaaROOT_ACCESS_CODEaaaaaaaa\nlogout\nlogin\n32\na\nprint-flag’)” ; cat) | nc jupiter.challenges.picoctf.org 31378

I immediately got the flag after that.

picoCTF{g0ttA_cl3aR_y0uR_m4110c3d_m3m0rY_ff2dcf5b}

some chaos for you