# global writer

## Summary

This challenge is a global out-of-bounds write.

• The program lets you repeatedly set values[idx] = v.
• There is no bounds check on idx.
• values is a global array, so writing with negative indices walks backwards into other globals / GOT entries.
• Goal: execute /bin/sh on the remote service and read the flag.

We solve it by:

1. Writing the string "/bin/sh -i\0" into the global values[] buffer.
2. Overwriting puts@GOT with system@PLT.
3. Overwriting the global msg pointer to point at our values[] buffer.
4. Triggering puts(msg) → actually system("/bin/sh -i").

## Files

• Binary: global_writer/chal
• Source: gglobal_writer/src.c

## Vulnerability

From src.c:

c
#define SIZE 0x10

char *msg = "Update Complete";
int values[SIZE];
int idx, i;

...
scanf("%d", &idx);
...
scanf("%d", &values[idx]); // <- OOB write, idx is unchecked
...
puts(msg);

Because values is global, values[idx] indexes into the program’s .bss/.data region.

• For idx >= SIZE, you write past the end.
• For idx < 0, you write before the beginning.

That allows overwriting other global variables and also pointers stored in the writable GOT (the binary uses Partial RELRO).

## Mitigations / Why this still works

The compile flags in the comment suggest:

• -no-pie → fixed addresses (very helpful)
• -Wl,-z,relro → Partial RELRO (GOT is still writable)
• -fstack-protector-all → stack canary (irrelevant: we don’t smash the stack)
• NX enabled (irrelevant: we reuse existing system)

Key point: Partial RELRO means puts@GOT is writable.

## Exploitation Strategy

### 1) Store the command string in memory

The program only accepts integers, but values[] is an int[], so we can write 4 bytes at a time.
On amd64 little-endian:

• 0x6e69622f → bytes 2f 62 69 6e → "/bin"
• 0x2068732f → bytes 2f 73 68 20 → "/sh "
• 0x0000692d → bytes 2d 69 00 00 → "-i\0\0"

So values[0..2] becomes the string "/bin/sh -i\0".

### 2) Turn puts(msg) into system(msg)

The program calls puts(msg) at the end of edit().
If we overwrite puts@GOT to point to system@PLT, then the call site effectively becomes:

c
system(msg);

Because the binary is non-PIE, system@PLT is at a fixed address.

### 3) Make msg point to our string

msg is a global char*. If we overwrite it to the address of values, then msg points to the command string we wrote.

### 4) Trigger

Entering -1 for index exits the input loop and reaches puts(msg).
After the GOT overwrite, that becomes system("/bin/sh -i").

## Computing the right indices

Let:

• VALUES_ADDR = address of the global values array
• TARGET_ADDR = address we want to overwrite

Since each values[i] is 4 bytes:

$$\text{idx} = \frac{\text{TARGET\_ADDR} - \text{VALUES\_ADDR}}{4}$$

This is exactly what the helper does in the exploit:

py
def idx_for(addr: int) -> int:
    return (addr - VALUES_ADDR) // 4

For 64-bit pointers (like msg or a GOT entry), write the low 32 bits to idx and the high 32 bits to idx+1.

## Exploit

The full exploit is included below. In short it:

• writes "/bin/sh -i\0" into values[0..2]
• overwrites puts@GOT → system@PLT
• overwrites msg → &values[0]
• sends -1 to trigger the call

## Flag

Retrieved from the remote server:

TSGCTF{6O7_4nd_6lob4l_v4r1able5_ar3_4dj4c3n7_1n_m3m0ry_67216011}