Sheet 4
General Information
Make sure you have read and understood everything in Exercise Requirements and Grading Guidelines!
Remember to put a block comment at the beginning of the solution file for each task, describing the vulnerability (including relevant addresses or instructions) and your general plan how to exploit it.
The deadline for this sheet is 2026-06-21 22:00:00 UTC
Task 13 – Notebook App (4 Points)
We got a new app that allows you to take notes. There are two kinds of notes: simple ones and printable ones. The app is still work in progress so there might still be some bugs.
Find the bug in the notebook application and exploit it to print the flag.
As always, describe what you are doing with technical details in comments so that we see that you fully understood the vulnerability and the exploit.
Once again, edit the provided solution template and explain your approach with meaningful comments!
Hints:
- What happens if you set the printing function to
puts()and then have heap allocation with the same size before that? - Have a closer look at the struct
printable_note
Your solution should execute like this:
|
|
Task 14 – Bank Robbery 2.0 (12 Points, individual Task)
You are now a member of the digital bank robber group Fang-Den-Shui which is famous for stealing money from the rich and giving it to the poor. Are you ready to prove your value?
To successfully rob the bank, exploit bank_robbery to make it print the flag!
Edit the provided solution template and explain your approach with meaningful comments!
Hints:
- What happens if you give
scanfsomething it does not expect? - Are you able to influence the allocation on the heap in a way that you are able to print and overwrite something nice there?
- The pwndbg
heapcommand can be helpful to track how the heap looks like.
Your solution should execute like this:
|
|
Task 15 – Some Poison for the cash machine (12 Points)
Money is not everything, but with money everything is more fun. Therefore we want to use this awesome cash machine to get our money printed.
Poison cash_machine in a way that it gives you a shell, and use the shell to print the flag!
Edit the provided solution template and explain your approach with meaningful comments!
Hints:
- Have a look at the backdoor function
- How can you set up
RDIwhen invoking the backdoor function? - Which functions offers you the possiblity that your allocation gets into the TCACHE?
- Can you see the diference between the
cashbox_deleteand thecashbox_updatefunctions? What can you use after that?
Your solution should execute like this:
|
|
Task 16 – Echo Service (8 Points)
Our developer team published this new echo service. As you can see, they made extra sure there are no buffer overflows, so everything should be nice and secure.
Are you ready to exploit it and make it read the flag from flag.txt and print the flag? Just do it then!
Once again, edit the provided solution template and explain your approach with meaningful comments!
You may not use pwnlib.fmtstr or equivalent exploit automation tools.
Hints:
- Is there some nice GOT entry which you could overwrite? Which entry would be most suitable?
- Maybe you can use some bug more than once to write the value one byte at a time…
- ASLR is intentionally not enabled for this binary to make this task easier.
Make sure you use the
isolation-containerwith thepersonalitysyscall not blocked by seccomp. For example, you can use--security-opt seccomp=unconfinedfor your tests when starting the container. Also, if you want to run the binary without the script, make sure to use the commandsetarch x86_64 -R ./echo_serviceto disable ASLR.
Your solution should execute like this:
|
|