Problem

Can you jump your way to win in the following program and get the flag? You can find the program in /problems/leap-frog_4_32907c7b6e253bd5d9422083e7243619 on the shell server? Source.

• Program

• Source

Solution

1. Run the script.py like so: python script.py USER=username PASSWORD=password

2. This is not the intended solution. This is a classic ROP challenge. But instead of going through the process as intended, all the win* variables can be set to 1 by calling gets correctly. Libc's "gets" function is able to write anything typed into stdin to any writable segment of memory. This program writes 0x01 ("true") on top of the win1, win2, and win3 variables in memory to skip the need to call the leap functions. Then display_flag() is called.

3. The payload is as follows:

   1. padding

   2. gets_plt (address of gets@plt): manipulates the return address of the first gets() in the vuln() function. So when the first gets() finishes, it jumps to the second gets()

   3. display_flag_addr (address of display_flag()): overwrites the return address of the second gets(). So when the second gets() finishes, it jumps to display_flag().

   4. win1_addr (address of the win1 variable): buffer for the second gets(). So the second gets() expects another input from the user and writes it to the address of win1. The three bytes written will overflow into win2 and win3 and set them to true as well.

      Extremely helpful explanation: StackOverflow answer by d4rwel

4. These write-ups describe the intended ROP solution: Dvd848 (Archive) and Fascinating Confusion (Archive)

Flag

picoCTF{h0p_r0p_t0p_y0uR_w4y_t0_v1ct0rY_183d3d88}