Tags: pwn

Rating: 5.0

Abuse a logical bug that results in an Out-Of-Bounds vulnerability when invoking call_function .
This OOB vulnerability allows invoking a function, only by knowing it's address.
It also requires us to have the address of the to-be-invoked function in the stack, and this is possible by editing the weights.

Note:
I also found a way to leak an address in the binary, but it turned out that ASLR is off, so I wasted my time on leaking, even though I didn't have to :(

Original writeup (https://github.com/j0nathanj/CTF-WriteUps/blob/master/2018/SwampCTF-2018/Astral-Mind/exploit.py).