swiss hacking challenge 2024 - office-program

Difficulty: baby

Category: pwn

Author: xnull

Welcome to the office program

It can be used to manage your monthly finance reports and add data to your hard-drive

Files

We are provided with a main executable:

$ file main
main: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=99f602c6b21523e176cc32f05046b7d2f970047f, for GNU/Linux 3.2.0, not stripped

Exploitation

When opening the file with Binary Ninja and looking at the decompilation, we see the following:

int32_t var_c;
scanf(&data_212c, &var_c);
important_work_or_attend_a_meeting();
if (var_c == 3)
{
    break;
}
if (var_c < 0)
{
    puts("\nInput out of range. You confus…");
    var_c = -(var_c);
}
var_c = (var_c + 5);
if (var_c < 0)
{
    puts("\nInput out of range. You confus…");
    print_flag();
}

To get the flag, we must input an integer that is only smaller than 0 after 5 has been added to it. WAT?

As var_c (our input) is a signed 32 bit integer, we can cause it to overflow.

32-bit integers use the so-called two’s complement for storing integers. The leftmost bit determines if the value is positive or negative.

That means, if we submit the largest possible 32-bit integer (2147483647) as an input, it is positive at the first if-statement. However, as soon as 5 is added, the integer overflows to the next larger bit, causing it to become negative. The code in the second if is executed and we get the flag:

Flag

Conclusion

Great challenge, in the context of the CTF theme this is probably also a reference to the Year 2038 problem :D