The program given is made to write a book chapter by chapter.
When we look at the code we can see that when we edit a chapter that we have already writen :
Here we can see that the function gets allow us to overflow the size of curr_ch->content.
But the segmentation fault is triggered when we publish the book, because we call the function print_chapter and the content of our chapter is put in the heap.
So if we look at the heap before the call :
We can see that if we can overflow far enough, we can override the address 0x0804875f which is print_chapter.
Also we know that it’s that address which is call, because the next instructions are :
We see that the content of eax+0x13c is loaded in eax.
And is called after that.
With calculation or with some tries, we can find that we start overiding the address of print_chapter after a padding of 258
How to exploit
We see that we need to call the function give_flag. But before that we need to call the function validate to change the value of success.
First step : get address from plt
We just do an objdump with grep to obtain the address of validate and give_flag
Second Step : Call validate function
At this point we know that we need to call the validate function. But the function takes an argument used to change the value of success. We have this comparaison :
We see that the function need to have 0x40 (64) to pass the test.
If we look at how the print_chapter, we see that the first argument to the function is EDX (0x804b070) and the second is our content of chapter (ebp-0xc). If we look at the C code now, we realize that the first argument is the chapter number (i).
Okay now we have everything for our exploitation.
Third Step : Build the exploit and Enjoy
We know that we need to create at least 65 articles to sucessfully read the content of flag.txt. We have to override the print_chapter function with validate on the 64th chapter and override it with give_flag on the 65th.
In a first time we need to create 65 casual articles and edit the 64th and 65th to override the print_chapter call.