Wednesday 4 September 2013

Exploit exercises - Protostar - Heap 1

In this task there is a bit more calls to malloc function. As we can see first strcpy is able to overwrite all other allocated data except first allocation. Data allocated in a way that is shown on the picture.

Next strcpy gets address from the allocated memory and write there second argument. So we can overwrite an arbitrary place in memory.
Since main function uses puts function to print something after second strcpy was finished and the fact that winner function doesn't use puts function, we can overwrite address in GOT for puts to move execution flow to the winner.


To do that we have to supply 20 bytes and address as first argument and value as a second argument.
./heap1 `perl -e 'print "a"x20 . "\x74\x97\x04\x08" . " " . "\x94\x84\x04\x08"'`

P.S. To obtain place in GOT where the address of the puts is stored use objdump -R . To find address of the winner function use objdump -t.
Moreover I've tried to write to .dtors section for provide winner function as a destructor, but it seems that even though the value is successfully written it is not being called.

No comments:

Post a Comment