Wednesday, 4 September 2013

Exploit exercises - Protostar - Heap 2

In this task we are able to control the sequence of malloc and free operations. Also the binary seems to be different from the source because binary allocates not enough memory for the auth struct. If you write auth 1, only 4 bytes are allocated for a whole 36 bytes auth structure. So if we are able to create another structure that has nonzero byte at 32-byte offset we will get a flag. Let's allocate service struct that has unlimited size and therefore can overwrite auth at offset 32 from auth pointer.


So to get string "you have logged in already!" you can do the following:

No comments:

Post a Comment