# messy-malloc ## Problem > Can you take advantage of misused malloc calls to leak the secret through this service and get the flag? Connect with nc 2019shell1.picoctf.com 21899. Source. * [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/messy-malloc/auth/README.md) * [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/messy-malloc/auth.c) ## Solution 1. `nc 2019shell1.picoctf.com 21899`: ``` Commands: login - login as a user print-flag - print the flag logout - log out quit - exit the program Enter your command: [anon]> login Please enter the length of your username 4 Please enter your username test Enter your command: [tes]> Invalid option Commands: login - login as a user print-flag - print the flag logout - log out quit - exit the program Enter your command: [tes]> print-flag Incorrect Access Code: "" Enter your command: [tes]> logout Enter your command: [anon]> quit ``` 2. We need to login as a user which has an access code allowing them to print the flag. However, there is no API to set access codes. `user` struct: ```cpp struct user { char *username; char access_code[ACCESS_CODE_LEN]; char *files; }; ``` 3. The program uses `malloc` instead of `calloc`. `malloc` allocates memory block of given size (in bytes) and returns a pointer to the beginning of the block. `malloc` doesn’t initialize the allocated memory. `calloc` allocates the memory and also initializes the allocated memory block to zero. Therefore, the memory set in line 73 (`char *username = malloc(username_len+1);`) can be reused. The values stored in the block of memory allocated by `malloc` will persist when `malloc` is called again since `malloc` does not overwrite them. More info about [malloc vs calloc](https://www.geeksforgeeks.org/difference-between-malloc-and-calloc-with-examples/). 4. `malloc` in itself is not dangerous but this program has a vulnerability where it only initializes the `username` field of the `user` `struct`, which means the other members of the `struct` will contain leftover values from whatever the memory was previously used for. 5. Running the program allows us to create a user that has a username with the length of our choice. We can set the length of the username to `sizeof(struct user)`, which is the length of the `user` structure (32 bytes = 8 for username pointer + 16 for size 2 array + 8 for files pointer). We can set this allocated username field as if it were a `user` structure. When we `logout`, the allocation is freed. However, we can log back in and the heap manager will probably provide us with the same buffer we just freed since the requested buffer size is equal to a previously freed buffer size (an optimization to reduce memory fragmentation). This new user will have the "leftover" access code and will be able to access the flag. This is possible because the previous user's username memory was freed (and was the last chunk to be freed), but not cleared. 6. Visual Description: 1. Allocate the first user: ``` user struct char *username: pointer (that points to a "username buffer" with the username) char access_code: unknown leftover char *files: unknown leftover ``` 2. Free first user 3. Allocate second user (Heap Manager provides "username buffer" as buffer for user struct): ``` struct user (previously: "username buffer") char *username: pointer (that points to a newly allocated block of memory containing the new username) char access_code: ACCESS_CODE (leftover from "username buffer") char *files: bbbbbbbb (leftover from "username buffer") ``` 7. Run the [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/messy-malloc/script.py) `python script.py USER= PASSWORD=`: ``` [*] '~/Documents/PicoCTF/Binary Exploitation/messy-malloc/auth' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) FORTIFY: Enabled [+] Opening connection to 2019shell1.picoctf.com on port 21899: Done [+] picoCTF{g0ttA_cl3aR_y0uR_m4110c3d_m3m0rY_ac0e0e6a} ``` ### Flag `picoCTF{g0ttA_cl3aR_y0uR_m4110c3d_m3m0rY_ac0e0e6a}`