PlaidCTF writeup for Pwn-275 – Kappa (type confusion vuln)

[Nytro]

PlaidCTF writeup for Pwn-275 – Kappa (type confusion vuln)

Hey folks,

This is my last writeup for PlaidCTF! You can get a list of all my writeups here. Kappa is a 275-point pwnable level called Kappa, and the goal is to capture a bunch of Pokemon and make them battle each other!

Ultimately, this issue came down to a type-confusion bug that let us read memory and call arbitrary locations. Let's see why!

The setup

When you run Kappa, you get a Pokemon interface:

Thank you for helping test CTF plays Pokemon! Keep in mind that this is currently in alpha which means that we will only support one person playing at a time. You will be provided with several options once the game begins, as well as several hidden options for those true CTF Plays Pokemon fans . We hope to expand this in the coming months to include even more features! Enjoy!

Choose an Option:

1. Go into the Grass

2. Heal your Pokemon

3. Inpect your Pokemon

4. Release a Pokemon

5. Change Pokemon artwork

If you go into the grass, you can capture a Pokemon:

You walk into the tall grass!

You failed to find any Pokemon!

Choose an Option:

1. Go into the Grass

2. Heal your Pokemon

3. Inpect your Pokemon

4. Release a Pokemon

5. Change Pokemon artwork

You walk into the tall grass!

A wild Kakuna appears!

Choose an Option:

1. Attack

2. Throw Pokeball

3. Run

You throw a Pokeball!

You successfully caught Kakuna!

What would you like to name this Pokemon?

POKEMON1

Choose an Option:

1. Go into the Grass

2. Heal your Pokemon

3. Inpect your Pokemon

4. Release a Pokemon

5. Change Pokemon artwork

...And so on.

Articol complet: https://blog.skullsecurity.org/2014/plaidctf-writeup-for-pwn-275-kappa-type-confusion-vuln