Comment on page
Challenge Name
Exploit the function pointers in this program. It is also found in /problems/pointy_4_3b3533bd4e08119669feda53e8cb0502 on the shell server. Source.
- 1.The provided program allows us to enter students and professors. Students can then rate the professors.
- 2.The bug in the program is that we can select professors as students and students as professors. We can write the
lastScore
of aProfessor
and then treat it as aStudent
to control thescoreProfessor
field. - 3.The
Student
andProfessor
struct
s are as follows:struct Professor {char name[NAME_SIZE];int lastScore;};struct Student {char name[NAME_SIZE];void (*scoreProfessor)(struct Professor*, int);};scoreProfessor
is a function pointer that is in the same position relative to thestruct
aslastScore
is inProfessor
. We can create aProfessor
and set thelastScore
variable to the address ofwin()
. Then, we can convert that professor to a student, which will override thescoreProfessor
pointer and point it to thewin()
function. (scoreProfessor
is pointed togiveScoreToProfessor()
on line 79:student->scoreProfessor=&giveScoreToProfessor;
.) Thus, when thescoreProfessor
pointer is called (close to the end of the file:student->scoreProfessor(professor, value);
), thewin()
function will be executed and we will get the flag. - 4.
- 1.Allocate a student
s1
- 2.Allocate a professor
p1
- 3.Use student
s1
to give the score - 4.Give the score to professor
p1
- 5.Set the
lastScore
attribute of professorp1
to the address ofwin()
- 6.
- 7.Allocate another student
s2
(only necessary to proceed to next inputs in program) - 8.Allocate another professor
p2
(only necessary to proceed to next inputs in program) - 9.Use professor
p1
(which has the address ofwin()
) to give a score. This converts professorp1
to a student, thus overwriting thescoreProfessor
function pointer towin()
. - 10.Give the score to professor
p1
. This does not matter since we only care about the last line (student->scoreProfessor(professor, value);
) wherescoreProfessor
(akawin()
) is called. You could usep2
here as well since it is the extra professor we created earlier. - 11.Give a score of
0
to professorp1
, but not really since thescoreProfessor
function pointer points towin()
and notgiveScoreToProfessor()
since we changed it by converting aProfessor
to aStudent
.
- 5.[*] '/home/<username>/Documents/PicoCTF/Binary Exploitation/pointy/vuln'Arch: i386-32-littleRELRO: Partial RELROStack: Canary foundNX: NX enabledPIE: No PIE (0x8048000)[+] Connecting to 2019shell1.picoctf.com on port 22: Done[*] <username>@2019shell1.picoctf.com:Distro Ubuntu 18.04OS: linuxArch: amd64Version: 4.15.0ASLR: Enabled[+] Opening new channel: 'pwd': Done[+] Receiving all data: Done (14B)[*] Closed SSH channel with 2019shell1.picoctf.com[*] Working directory: '/tmp/tmp.klHpIRVO8i'[+] Opening new channel: 'ln -s /home/<username>/* .': Done[+] Receiving all data: Done (0B)[*] Closed SSH channel with 2019shell1.picoctf.com[*] win address: 0x8048696[+] Starting remote process b'/problems/pointy_4_3b3533bd4e08119669feda53e8cb0502/vuln' on 2019shell1.picoctf.com: pid 1203280[+] picoCTF{g1v1ng_d1R3Ct10n5_c7465fbf}
picoCTF{g1v1ng_d1R3Ct10n5_c7465fbf}
Last modified 2yr ago