Heap 0 level teaches us that variables that are placed in a heap are referenced by different addresses in memory far from stack. Two sequential allocations have a high probability to be one after the other in memory. We can exploit this by overflowing buffer.
While memory is being malloc'ed, it is allocated as structures that contain 8 bytes of extra information before returned address. So if you run heap0 with argument 'a', you get that:
data is at 0x804a008, fp is at 0x804a050.
So memory layout starting from 0x804a000 looks like:
Bytes that are colored blue are malloc structure bytes. Our task is to place the value 0x08048464 which is the address of a winner function (use objdump -t /opt/protostar/bin/heap0 to get that address) into fp. To accomplish this we need to write any 64 + 8 = 72 bytes bytes to name and "\x64\x84\x04\x08" to overwrite fp.
The solution is:
/opt/protostar/bin/heap0 `perl -e 'print "A"x72 . "\x64\x84\x04\x08"'`
Screen:
While memory is being malloc'ed, it is allocated as structures that contain 8 bytes of extra information before returned address. So if you run heap0 with argument 'a', you get that:
data is at 0x804a008, fp is at 0x804a050.
So memory layout starting from 0x804a000 looks like:
The solution is:
/opt/protostar/bin/heap0 `perl -e 'print "A"x72 . "\x64\x84\x04\x08"'`
Screen:
No comments:
Post a Comment