Hacking Series Part 14

Challenge: messy-malloc

Category: binary exploitation

We are given a binary and it’s source code called “auth” and “auth.c”. By looking at auth.c, you can tell that this program is essentially a simple authentication program. There are a few important features of the source code that show us how everything works, which are the functions login, logout, print_flag, as well as the user struct that looks like the following.

In order to get the flag, a user needs to have the correct access code. If you convert the access code used in the source code from hex to ASCII, the access code becomes ROOT_ACCESS_CODE.

If you look at login, you will see that when you enter a username, only the username part of the struct user is initialized. That means that the other two values (access_code and files) are still filled with random values from the previous memory allocation and are never zeroed out.

As a result, it would be possible to initialize an entire user struct with the correct access code in three steps. The first is to login with a crafted user struct containing ROOT_ACCESS_CODE in the middle with surrounding padding (since access_code is the second value in the struct). This can look something like the following.

aaaaaaaaROOT_ACCESS_CODEaaaaaaaa

Next, you use logout in order to free the allocated memory, which leaves an entire user struct in freed memory. Finally, you login again with the same length of the previous username so that malloc returns the same pointer to the recently freed memory (in this case, our crafted user struct). The username we provide when logging in a second time should not exceed the first set of padding characters, so it is safer to just login with a single character or two.

After that you can print the flag since the correct access code should be leaked to the access_code value of the struct. Using Python, I crafted the previous steps into an output and piped this to the service. The length of the username turned out to be 32 characters long, so in both login attempts, the length should be 32.

( python3 -c “print(‘login\n32\naaaaaaaaROOT_ACCESS_CODEaaaaaaaa\nlogout\nlogin\n32\na\nprint-flag’)” ; cat) | nc jupiter.challenges.picoctf.org 31378

I immediately got the flag after that.

picoCTF{g0ttA_cl3aR_y0uR_m4110c3d_m3m0rY_ff2dcf5b}

some chaos for you

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Reverse proxy on AWS instance using ansible!

A step by step migration to Room

A step by step migration to Room data base

Topologica: Jazz, Orbifolds, and Your Event-Sourced, Flux-Driven Dream Code

Custom image variants with Rails Active Storage

How to use MQTT module on Qt

PHP Coding Standards fixer with git commit

I wrote a query similar at its core to the query in the image

What is Attribute-Based Access Control, and Why is it Important?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
9710810511512197

9710810511512197

some chaos for you

More from Medium

NPST CTF 2021 — WRITE-UP

Promo cover for NPST CTF 2021 write up — by Author

[Day 14] Networking Dev(Insecure)Ops | Advent of Cyber 3 (2021)

PortSwigger Web Security Academy Server-side topics — SQL Injection

Persistent Windows 10 and 11 keylogger (keylogiq)