Plaid CTF 2015 writeup(prodmanager, clifford, ebp, unknown)

Categories CTF

1. prodmanager(180 points)

prodmanager is a product manage system. After a short investigation of the source code, I found that there is a UAF vulnerability of double linked list. Actually the program did not manage product list and lowerest price list properly, an item which is freed in the product list still presents in the lowerest price list.

the following is the exploit code:


2. Clifford(100 points)

This challenge contains two elf, the older one is more easy to analyze as it is not obfuscated.  After some static reversing and dynamic inspection of the heap, I realize that this challenge is actually a math problem: magic hexagon (六角幻方). We need to complete the hexagon by input correct numbers.

Input the following 19 numbers to the program, the flag will be generated:

9 14 15 11 6 8 13 18 1 5 4 10 17 7 2 12 3 19 16

flag is: too_bad_this_took_20_years_to_find!!

3. ebp(160 points)

There is a format string vulnerability in this program. By crafting the input, we can overwrite the ebp to a global array which is in our control. After the main function returned(on receiving a EOF), the EIP will be redirected to the global array. If we put shellcode(reverse shell) in that array, we may get the shell and get the flag:


the following is the exploit code:

we need to listen on local port:

The shellcode is generated by:

the following is the server script:



4. unknown

the file is an ATK image file, download an image convertor and use it to show the image content, the flag is:


No Comments

Leave a Reply