Exploit-Exercises Protostar Heap1 Write up
- Jayakrishna Menon V
- Aug 21, 2015
- 2 min read
I couldn't find out the vulnerability by just looking through the code.
I supplied different types of input and when I gave an input of more than 20 bytes, I got a segmentation fault.
Why?
A segmentation fault occurs when the program tries to access a memory region which it does not have permission to access.
After loading it up in gdb, I found out that the segmentation fault occurs at the second strcpy statement and not the first.
Also the size of the second argument didn't seem to matter. All that mattered was whether or not the size of argv[1] was 20 bytes or less.
Here, the segmentation fault occured because of an overflow.
The objects i1 and i2 of type internet are dynamically allocated on the stack using malloc.
Then, 8 bytes are dynamically allocated for name for each object.
The point to note is that i1 and i2 which are pointers to structure objects reside close to each other and i1->name and i2->name also reside close to each other(i1->name and i2->name are each pointers to buffers on the heap).
The addresses pointed to by the pointers i1->name and i2->name are separated by 32 bytes. But the difference between the starting of the buffer and the location of i2->name is 20 bytes.When the size of the first argument is greater than 20 bytes, the address pointed to by i2->name is changed. Hence the segfault.
So how can we exploit this?
This is a very powerful vulnerability which can be used to write anything anywhere. The first argument will overwrite the 'where' of the second strcpy() to a location of your choice which in this case could either be the saved eip or maybe even the GOT entry of puts() (20 bytes of junk+address where you want to overwrite)
The second argument specifies the 'what' of the second strcpy(). In order to pass this level, we need to call the function winner(). This can easily be done once we know how it all works.
First: Argument 1 must contain 20 bytes of some junk followed by the address of saved eip
Second:Argument 2 must contain the address of winner()
Third:Sit back and enjoy.
Comentários