Analysis of ZCTF's PWN problem,
PWN100
This problem and SCTF pwn100 play is the same, the difference lies in the previous several restrictions. Exit (0) cannot be triggered. Otherwise, the overflow will not be realized.
The canary is still triggered to leak out the in-memory flag.
Note1
This ZCTF problem is a series out, the following three questions are the same program.
First look at the procedure of the approximate process, this is a notepad program.
1.New note\n
2.Show Notes list\n
3.Edit note\n
4.Delete note\n
5.quit\noption--->>
There are so 5 options.
The program is also implemented by 5 separate functions,
Each of these options corresponds.
Instead of simply storing data in a single space, the program makes up a list of data blocks.
We can see the structure of each block by sub_400989, which is the new note function.
With this picture, we can see
The structure of this block should be
struct data
{
BYTE junk[16];//front 16byte use unknown
Byte title[64];//The string that stores the title at offset 16~80byte
Byte type[32];//The string that stores the type at offset 80~112byte
Byte content[256];//The string that stores the body at offset 112~368byte
}
is exactly the 0x170=368 byte of the allocated heap, making full use of it.
The part that uses the unknown should be used to maintain the list. But I don't know how it's done. Linked list
Analysis of ZCTF2015 PWN test questions