Home Assignment 2a › hacker track › assignment2-177 Digital test Mon, 20 Apr Submit
Aryan
Found the vulnerability, explained every byte of the type confusion… and then it was past midnight. Exploitation left as an exercise for future me. Future me is someone else's problem.
Aryan

See the assignment's PDF available on BrightSpace for task descriptions and submission requirements.

Level 10

10
(1) Explain what were the vulnerabilities of the target program of this level.
(2) Explain how you exploited the aforementioned vulnerabilities to get access to the next level.
Your explanations must be clear and not miss any detail.
Answer
Level 10 source code

1) This program manages memory slots using structs; each slot is 20 bytes. Bytes 0–3 hold the type tag, bytes 4–11 hold the value (int) or pointer (string). The structs share the same layout, so an operation meant for one type silently works on another.

Looking at handle_setint:

void handle_setint(const char* args) {
    int slot;
    long long arg;
    if(sscanf(args, "%d %lld", &slot, &arg) < 2)
        return;
    if(slot >= 0 && slot < MAX_MEMORY)
        set_int((MemoryInt*)&memory[slot], arg); // no type check!
}

It writes to bytes 4–11 without checking the slot's current type. If the slot is a string, those bytes are the pointer field. Calling setint 0 <address> overwrites the pointer with an arbitrary integer. The type tag stays TYPE_STRING, the size stays whatever it was.

Then print 0 triggers:

fwrite(str->location, 1, str->location_size, stdout);

It reads location_size bytes from our arbitrary address — leaking memory from anywhere in the process. Classic type confusion.

Struct definitions and terminal
Type Confusion in Memory Slots
setint writes bytes 4–11 of a slot without checking its type tag. If the slot holds a string, those bytes are the pointer field. We overwrite the pointer with an arbitrary address; print then calls fwrite(our_address, location_size, …) — leaking memory from anywhere.