This challenge is released on Nov.2015
There is uninitliazed value, when add
a pokémon.
So, to trigger and leverage the bug, we add a valid one first, when be asking:
We say Yes
, then on the second one, we make an invalid size to trigger.
From now on, we can easily overflow on data
heap (because it's re-using buffer data
of the previous pokémon - the first time we adding pokémon).
Then simply, overwrite the path of pokémon ascii to read the flag.
https://github.com/l4wio/CTF-challenges-by-me/blob/master/svattt-2015/final/pokedex/solution.py