[+]HITCON CTF 2015 Matrix X Matrix (Pwnable, 175 points)

Categories Uncategorized

The program implements some matrix multiplication function, first we should input size of matrix, and than there matrix will be allocated on the stack and calculate multiplication of first two matrix into the third one.

The vul locates in input matrix size can be negative, and when we assign value to the first matrix element, we can overwrite(ebp) and then overwrite a got function pointer(in our case is puts) to the beginning of the function. After that we can do the same trick again but this time we are not going to overwrite any function pointer in got, instead, we leverage the multiplication to leak a function pointer to calculate the base address in libc. In the third round, we can overwrite a function pointer in got to libc gadget and prepare our ROP chain by using a large matrix.

The following is the exploit code:



No Comments

Leave a Reply