While trying to solve a challenge from a past ctf event I came across a unique problem that required me to do the followings:
- use the vulnerable method "gets()" to overflow the return address of the vuln function to another one and the stack cell that is above it to another one that gives the flag to create a rop chain.
- Overflowing it required in such a way that a global boolean variable in the second method will be able to pass the following boolean condition: if(a && !a){; and then to proceed safely to the last function
This is obviously impossible, no boolean should be true and false at the same time, but if you are looking at the compiled assembly of it, it separates it to two different conditions, one that checks if its true and one that checks if its false, then the only option is to jump in between while taking into consideration that the default value of the boolean is false.
The result of overflowing to the middle address is an immediate termination of the program, while taking in consideration the fact that jumping to another method is required after landing in the middle of the second one it seems like the middle jump is making somthing in the leave and ret functions to be disturbed.
my question is:
is it possible to jump into the middle of a function without disturbing the "folding" of a function and making an error, if not why? and if yes, what is needed to do so?
with respect, revolution
btw: aslr is activated, the program is written in c, the os is ubuntu 32 bit, the challenge is from pico ctf 2019 this question is a general one that came as an inspiration from a challenge in the event so write ups are not the answer in this case.
