The second part of the challenge was exploiting a UAF (use-after-free) vulnerability.
This could be triggered if the admin deleted a “Bragisdumu” (btw what is a Bragisdumu!? :D).
But there were some restrictions, for example: the admin could only delete items if there were no stock of it, so we had to buy them first. But you could not buy any amount of them, only 16, so you had to buy the Knight Rider one.
Although the program tried to nullify the object, but it did not nullify the pointer, but the active field of the pointed object. And then deleted the object. So it did not trigged the vulnerability by itself, you also had to use a long enough username + password.
To make the exploit stable I had to leak some addresses. To do this I overwrite the whole item structure until the ptr value:
This way the address of the KnightRider preview function is leaked out, then I logged out and logged in with username which overwrite the preview function call (0x1275) to printf in the PLT (0xda0). As the parameter for this call is the Item structure’s address which is fully controlled by me I could sent in a format string which contained a lot of “%p”’s, thus leaking out the libc base address from the stack (among other things).
Then in the next round I simple overwrite the pointer with the calculated system address and got a shell :)
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading