heap 0

Similar to a stack overflow exploit, we can target dynamically allocated memory that persists on the heap. Looking at the source code, we can target the input_data variable that dynamically allocates data of size INPUT_DATA_SIZE. The data is then stored in the heap at an address like 0x5b537f7662b0 (where pico originally was). Note: you can find these addresses by passing in the printing-the-heap option. Additionally, looking at check_win(), the code prints the flag if safe_var has been modified. If we can modify safe_var by writing to it through input_data, we can can directly modify the value bico stored at an address like 0x5630d9c926d0.

Looking at write_buffer, the input writes directly to input_data through scanf(). We're now ready to write our exploit!

We can calculate our offset by taking 0x5630d9c926d0 and subtracting it by 0x5630d9c926b0, giving us 0x20 or in decimal 32. This means that we have to provide 32 bytes (32 characters in C) in order to overwrite a character of bico. Note: since the null terminator is included in the string as our 33rd character, it will overwrite bico with \0 or in other words, an empty string.

Running the script:

printf 'A%.0s' {1..32}; echo

Will give us 32 As which we can then copy and paste into the buffer. Connecting to the instance through the netcat command (nc), selecting 2, inputting our 32-lengthed string of As, then selecting 4 will give us our flag!