ctftime

My solutions for various CTF challenges

View on GitHub

pointy

Binary Exploitation - Points: 350

Exploit the function pointers in this program.

vuln

vuln.c

The structs of Professor and Student are quite similar, the professor has an int lastScore and the student a function pointer to the scoreProfessor function (also 32 bit size). The retrieveProfessor function does not verify the structure, it even assumes struct Student, so it is possible to rate a student instead of professor. This makes it possible to modify the function address of the student’s scoreProfessor function and let it point to the win function. In the next rating attempt with that student it executes the win function and prints the flag.

This can be achieved with the following inputs:

Input the name of a student
a
Input the name of the favorite professor of a student 
b
Input the name of the student that will give the score 
a
Input the name of the professor that will be scored 
a
a
Input the score: 
134514326
Score Given: 134514326 
Input the name of a student
c
Input the name of the favorite professor of a student 
d
Input the name of the student that will give the score 
a
Input the name of the professor that will be scored 
d
d
Input the score: 
0

flag: picoCTF{g1v1ng_d1R3Ct10n5_c7465fbf}