The Third Annual Binary Golf Grand Prix took place from June 17th 2022 until September 2nd 2022.
The goal of this challenge was to create the smallest file (under 4 kilobytes) that crashed a given program. Additional points were rewarded hitting other goals.
The scores were calculated as follows:
- Base Score = 4096 - File Size
- Add 1024 for publishing a write up
- Add 1024 if the program counter was overwritten with 0x33's or ASCII "3"
- Add 2048 if code execution was achieved (proven by printing or returning the value "3")
- Add 4096 if you author a patch which is merged by the end of the competition.
There were a total of 34 entries, more than double from last year and over 8 times the amount of the first BGGP.
- 23 entries came with writeups
- 3 entries included code execution. This was challenging because some entries could have achieved this, but it would've added greatly to the file size.
- 8 entries had patches that were authored and merged before the end of the competition.
- 2 additional entries had patches which were rejected :(
- 2 entries did not qualify as official entries due to size, delivery method, or other issue. These are included in the Honorable Mentions section.
- 2 entries came after BGGP and were added to this repo in the Honorable Mentions section.
Also, four new CVEs were awarded to participants
- CVE-2022-39028 - telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works
- CVE-2022-39843 - Lotus 1-2-3 R3 for Linux < 1.0.0rc3
- CVE-2022-34927 - MilkyTracker v1.03.00
- CVE-2022-40363 - Flipper Zero < v0.65.2
These are the scored entries for BGGP3. Click on the author name to see their entry in this repo. The directories include the entry which was sent to us (.txt file), and the binary file of the entry (.bin file).
For the writeup and patch modifiers, the associated writeups and patches are linked from the score number in the table below. There is also a notes column which may be out of the viewport, scroll to the right to see.
| Author | Date | Target | Size | Writeup | PC | Exec | Patch | Total Points | Notes |
|---|---|---|---|---|---|---|---|---|---|
| David3141593 | 20220729 | chip8 0.2.0-1ubuntu1 | 20 | +1024 | +0 | +2048 | +4096 | 11244 | |
| Dan Bastone | 20220903 | Lotus 1-2-3 R3 for Linux < 1.0.0rc3 | 34 | +1024 | +0 | +2048 | +4096 | 11230 | This score was adjusted, the exploit points were mistakenly not given. See the writeup for details. |
| PierreKimSec & AlexTorSec | 20220824 | multiple versions of telnetd | 2 | +1024 | +0 | +0 | +4096 | 9214 | |
| fridayortiz | 20220717 | Cave Story (HaikuOS) | 8 | +1024 | +0 | +0 | +4096 | 9208 | |
| _mattata | 20220714 | GNUCobol v3.1.2.0 | 40 | +1024 | +0 | +0 | +4096 | 9176 | |
| s01den | 20220727 | upx git-d7ba31+ | 518 | +1024 | +0 | +0 | +4096 | 8698 | |
| royhax91 | 20220804 | MilkyTracker v1.03.00 | 701 | +1024 | +0 | +0 | +4096 | 8515 | |
| qkumba | 20220901 | AppleWin v1.30.10.0 | 6 | +0 | +0 | +0 | +4096 | 8186 | |
| urisk | 20220827 | Gameboy Colour BIOS0 | 58 | +1024 | +1024 | +2048 | +0 | 8134 | |
| vechs | 20220825 | gnome-logs - Version 42.0 | 1 | +1024 | +0 | +0 | +0 | 5119 | |
| 0xNinja | 20220728 | Espruino | 4 | +1024 | +0 | +0 | +0 | 5116 | A patch was suggested but a different patch was written and merged :( |
| ifygecko | 20220902 | chocolate-doom | 8 | +1024 | +0 | +0 | +0 | 5112 | |
| echel0n | 20220729 | Brainflow | 14 | +1024 | +0 | +0 | +0 | 5106 | |
| yungintranet | 20220821 | nftables | 19 | +1024 | +0 | +0 | +0 | 5101 | A patch was suggested but a different patch was written and merged :( |
| novafacing | 20220818 | clang | 23 | +1024 | +0 | +0 | +0 | 5098 | |
| nopnopgoose | 20220902 | PCSX 2 Playstation 2 Emulator | 45 | +1024 | +0 | +0 | +0 | 5075 | |
| LouisKronberg | 20220724 | mold v1.2.1 | 50 | +1024 | +0 | +0 | +0 | 5070 | |
| junyian | 20220716 | GIMP 2.10.30 | 67 | +1024 | +0 | +0 | +0 | 5053 | |
| netspooky | 20220901 | rizin 0.4.0 | 72 | +1024 | +0 | +0 | +0 | 5048 | |
| endofunky | 20220824 | patchelf | 92 | +1024 | +0 | +0 | +0 | 5028 | |
| h0wdy | 20220831 | Renoise 3.4.2 | 128 | +1024 | +0 | +0 | +0 | 4992 | |
| scratchadams118 | 20220721 | munpack | 158 | +1024 | +0 | +0 | +0 | 4962 | |
| tecknicaltom | 20220619 | mediainfo v21.09 | 2 | +0 | +0 | +0 | +0 | 4094 | |
| qkumba | 20220627 | DOSBox 0.74 | 2 | +0 | +0 | +0 | +0 | 4094 | |
| 0xdroogy | 20220712 | qterminal 0.17.0 | 2 | +0 | +0 | +0 | +0 | 4094 | |
| tecknicaltom | 20220622 | exactimage 1.0.2 | 4 | +0 | +0 | +0 | +0 | 4092 | |
| seerskye | 20220902 | Hot Soup Processor 3.6 | 5 | +0 | +0 | +0 | +0 | 4091 | |
| linted | 20220831 | gdb 12.0.90 | 13 | +0 | +0 | +0 | +0 | 4083 | |
| David3141593 | 20220812 | qemu | 29 | +0 | +0 | +0 | +0 | 4067 | POC |
| netspooky | 20220726 | radare2 v5.7.0 | 32 | +0 | +0 | +0 | +0 | 4064 | POC |
| softwarejosh & potionhax | 20220902 | libjpeg-turbo-2.1.4 | 166 | +0 | +0 | +0 | +0 | 3930 | |
| q3w3e3 | 20220724 | Portal 2 | 1094 | +0 | +0 | +0 | +0 | 3002 |
These entries were written with BGGP3 in mind, but didn't qualify due to reasons discussed in their respective writeups.
- TheXcellerator - 20220826 - tetsuji: Pokemon Crystal RCE
- VVX7 - 20220902 - Flipper Zero NFC Buffer Overflow
- eatscrayon - Things that are not BGGP3 Entries - Weirdness in CHASOPRO 4.0.249, Famitracker v0.4.6, and Windows Event Logs
- jordan9001 - Too late for BGGP3, too early for starships - procmon64.exe crash via PML files. Full writeup.
Huge thanks go to the following:
- Everyone who participated this year!
- Everyone who shared, wrote about, expanded on, debated, wrote patches for, and were inspired by this year's Binary Golf Grand Prix.
- Binary Golf Association for helping with organizing, brain storming, and promoting the event.
- tmp.0ut for allowing us to use their website to host the challenge announcement.
- xcellerator for doing a majority of the scoring and verification.
- yoffdog for designing the poster, logo, and other assets
An ultra-special thanks goes to everyone who encouraged, coached, and guided many of the new people who worked on this challenge. Several people who participated this year had never found a bug before, let alone written a PoC, a patch, or a detailed technical blog. This kind of community effort and openness is what will drive this culture forward.
Unlike most CTFs or competitive programming challenges, the Binary Golf Grand Prix is more of a personal quest. There's no right or wrong answer to the question, and no right or wrong way to find the answer.
Constraints are a breeding ground for innovation. When we challenge ourselves to find the smallest, weirdest, and most unlikely ways to achieve our goals, we will often figure out entirely new pathways that we can build upon in the future. It's our sincere hope that BGGP has made you think differently in some way.
If you have any questions, comments, or concerns, please contact us via Twitter or the BGGP channel in the tmp.0ut Discord.
See you next year!
~ netspooky/BGA