PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Binary Exploitation

leap-frog

Previousseed-sPRiNGNextGoT

Last updated 4 years ago

Was this helpful?

Problem

Can you jump your way to win in the following program and get the flag? You can find the program in /problems/leap-frog_4_32907c7b6e253bd5d9422083e7243619 on the shell server? Source.

Solution

  1. Run the like so: python script.py USER=username PASSWORD=password

  2. This is not the intended solution. This is a classic ROP challenge. But instead of going through the process as intended, all the win* variables can be set to 1 by calling gets correctly. Libc's "gets" function is able to write anything typed into stdin to any writable segment of memory. This program writes 0x01 ("true") on top of the win1, win2, and win3 variables in memory to skip the need to call the leap functions. Then display_flag() is called.

  3. The payload is as follows:

    1. padding

    2. gets_plt (address of gets@plt): manipulates the return address of the first gets() in the vuln() function. So when the first gets() finishes, it jumps to the second gets()

    3. display_flag_addr (address of display_flag()): overwrites the return address of the second gets(). So when the second gets() finishes, it jumps to display_flag().

    4. win1_addr (address of the win1 variable): buffer for the second gets(). So the second gets() expects another input from the user and writes it to the address of win1. The three bytes written will overflow into win2 and win3 and set them to true as well.

      Extremely helpful explanation:

  4. These write-ups describe the intended ROP solution: () and ()

Flag

picoCTF{h0p_r0p_t0p_y0uR_w4y_t0_v1ct0rY_183d3d88}

Program
Source
script.py
StackOverflow answer by d4rwel
Dvd848
Archive
Fascinating Confusion
Archive