Skip to main content

4. Heap Overflow

Goals

  • Learn to identify and exploit heap overflow vulnerability.
  • Understand heap memory management in glibc.

Challenge description

This program is a simple login/logout system where your task is to identify a heap overflow vulnerability and exploit it to run a shell program. The program contains an admin account that can execute the shell upon successful login. However, the admin account's password is set randomly each time and cannot be predicted.

Your goal is to exploit the vulnerability to reveal the admin account’s password, gain shell execution on server, and read the flag.txt file on the server.

Feel free to use the provided template.py as needed.

tip

If you're unsure how to begin, try analyzing how the heap is managed when accounts are created. This can provide insights into potential points for a heap overflow.

Tips on Exploit

Simply triggering the heap overflow without care can cause the program to crash (e.g., abort with malloc(): corrupted top size).

To successfully exploit the program and reveal the admin password, you only need to overwrite a few bytes in the heap memory.

Please focus on the program’s structures rather than the heap allocator’s internal metadata.

Submission

Once you've obtained the flag, please submit it to our CTF server. Then, submit both your exploit code and a 1-page report through ETL. Your report should briefly explain the code you used to get the flag and how you solved the challenge. Please do not cheat, share your flag, or disclose your solutions. Ensure that your report is strictly limited to 1 page.

Before submitting, use this command to compress your files: zip report.zip solve.py report.pdf. Make sure to rename your exploit code to solve.py and your report to report.pdf before running this command. Finally, submit report.zip through ETL.

If you fail to get the flag, you don't need to include the solve.py in the report.zip. Instead, please document your findings and attempts (such as identified vulnerabilities, exploitation approach, etc.) in report.pdf. Partial credit will be awarded based on the content.