Rating:

# matrix X matrix (pwn 175)

## Description


Matrix is magic!!!
nc 52.68.53.28 31337

matrix-a0e5c5c0a8f05896a7f03d8ed4588027
libc-3f6aaa980b58f7c7590dee12d731e099.so.6


## The bugs

In main, the program gets the size of the matrix from user. This value, however, can be negative.

C
...
printf("Hello %s \nThat is a program of matrix multiplication\n", name_buf);
fflush(stdout);
puts("Enter the size of matrix");
fflush(stdout);
__isoc99_scanf((__int64)"%d", (__int64)&v38);
v43 = v38 - 1LL;
v35 = 0LL;
v34 = 8LL * v38;
v44 = v38 - 1LL;
v32 = v38;
v33 = 0LL;
v30 = v38;
v31 = 0LL;
v3 = alloca(16 * ((8 * v38 * (signed __int64)v38 + 22) / 16uLL));
v45 = 8 * (((unsigned __int64)&v9 + 7) >> 3);
v42 = abs(v38);
for ( i = 0; i < v42; ++i )
{
for ( j = 0; j < v42; ++j )
{
printf("Enter the (%d,%d) element of the first matrix : ", i, j);
fflush(stdout);
__isoc99_scanf((__int64)"%lld", 8 * (j + ((unsigned __int64)v34 >> 3) * i) + v45);
}
}
...


In above code, we can see that v34 is computed with possibly negative v38, which yields a memory corruption in scanf's frame. Specifically, when 8 * (j + ((unsigned __int64)v34 >> 3) * i) is -8, we overwrite the return address of scanf.

## Exploit

We use the bug twice:

1. Leak out the address of puts which lets us to calculate the libc base address, then return back to main.
2. Use libc base address to calculate address of system, and return to it. We store our command in the name buffer.

When exploiting the bug, we can send a hyphen (-) to prevent scanf from writing any value, thus preserving the original stack contents until we get to the return address.

See
[exploit.py](https://github.com/pwning/public-writeup/blob/master/hitcon2015/pwn175-matrix/exploit.py)
for the full exploit.

## Flag

Flag: hitcon{tH4nK_U_4_pL4y1nG_W17H_3Bp_M47R1X}

Original writeup (https://github.com/pwning/public-writeup/blob/master/hitcon2015/pwn175-matrix/writeup.md).