Lab 6 - Rusty Rollercoaster¶
Table of Contents¶
Overview¶
This lab provides a Rust application that needs to be exploited with a buffer overflow attack to extract hidden information.
Analysis¶
The ControlPanel structure has both the speed array and the shutdown flag:
speed_arrayis a fixed-size array of 8 signed 32-bit integers.can_shutdownis a flag hard-coded tofalseafter initializing the control panel values.
The solution is to figure out a way to override the shutdown flag to true (1).
The speed_adjustment function allows you to directly update values in the speed_array using an unsafe block:
A few important things to consider from that code block:
unsafe { ... }allows operations that bypass some of Rust’s safety guarantees.get_unchecked_mut()is a Rust slice/array method that skips bounds checking.as usizeis a Rust type cast (often used for array indexing).- the
*in*buffer.get_unchecked_mut(...)dereferences a pointer or mutable reference.
The unsafe code is doing the following:
- Converts
selectiontousize. - Subtracts 1 (likely converting from 1-based input to 0-based indexing).
- Gets a mutable element without bounds checking.
- Writes value into that position.
Equivalent safe Rust would look like:
but the unsafe version removes the bounds check for performance (or low-level control). ⚠️The trick here is to perform out-of-bounds memory write operations by playing with Speed adjustments.
Solution¶
There are only 8 values in the speed_array. By setting a speed adjustment for entry 9 with the value 1 will set the value of the next entry in the control panel structure. In this case, it would set the can_shutdown flag to true.
After setting the value, you can select the Emergency Stop option from the menu.
Navigation¶
| ← Carnival Chaos | Teacup Trouble → |