The exploitation of a Heap overflowdepend on the program implementation. With this example, the attacker can exploit this in order to jump to an arbitrary function : "admin"
Source code
#include<stdio.h>#include<stdlib.h>#include<string.h>struct user{char username[32];char password[32];};typedefstruct ticket {void (*display)(struct ticket*);char username[32];char content[24];} Ticket;voiddisplay(Ticket *t){printf("%s\n",t->content);}charlogin(struct user *u){char secret[16] ="";char c; FILE *fp =fopen(".passwd","r");fread(secret,1,15, fp);fclose(fp); secret[15] ='\0';if (strcmp(u->password, secret)==0&&strcmp(u->password,"admin")==0) {return1; } else {return0; }}voidadmin(){printf("Welcome admin\n");// Make admin stuff}intmain(int argc,char**argv){int log;char c=1, i;char buf[8];struct user *u =malloc(sizeof(struct user));strcpy(u->username,"Guest");strcpy(u->password,"");struct ticket *t =malloc(sizeof(struct ticket));t->display = display;strcpy(t->content,"");strcpy(t->username,u->username);while(c){printf("Press enter char to continue...");fgets(buf,8, stdin);getchar();printf("\e[1;1H\e[2J");printf("Welcome %-10s.\nWhat to do you want to do ?\n",u->username);printf("1 - Read ticket\n");printf("2 - Create ticket\n");printf("3 - Delete ticket\n");printf("4 - Submit tickets\n");printf("5 - login\n");printf("0 - Exit\n");printf("Choice > ");scanf("%1s", buf); i = buf[0];printf("\e[1;1H\e[2J");switch (i) {case'0': c =0;break;case'1':printf("Resume : \n");t->display(t);break;case'2':printf("Ticket content : \n");scanf("%24s",t->content);fflush(stdout);break;case'5':printf("Please enter credentials : \n");printf("Username : ");scanf("%s", u->username);printf("Password : ");scanf("%s", u->password);if (login(u) ==1){admin(); }break;default:printf("Function not yet implemented !\n"); } }return0;}
This function will simply compare the username and the password with those for the admin user, if it's equals than the user is admin else it's a guest.
main
There is two parts into this function :
Variables setup
int log;char c=1, i;char buf[8];struct user *u =malloc(sizeof(struct user));strcpy(u->username,"Guest");strcpy(u->password,"");struct ticket *t =malloc(sizeof(struct ticket));t->display = display;strcpy(t->content,"");strcpy(t->username, u->username);
This part setup needed variables.
Note that struct user *u = malloc(sizeof(struct user)); and struct ticket *t = malloc(sizeof(struct ticket)); are made directly one after the other.
Because there have the exact same size and their are declared at the same time, their position in memory will be side by side.
Menu loop
while(c){printf("Press enter char to continue...");fgets(buf,8, stdin);getchar();printf("\e[1;1H\e[2J");printf("Welcome %-10s.\nWhat to do you want to do ?\n",u->username);printf("1 - Read ticket\n");printf("2 - Create ticket\n");printf("3 - Delete ticket\n");printf("4 - Submit tickets\n");printf("5 - login\n");printf("0 - Exit\n");printf("Choice > ");scanf("%1s", buf); i = buf[0];printf("\e[1;1H\e[2J");switch (i) {case'0': c =0;break;case'1':printf("Resume : \n");t->display(t);break;case'2':printf("Ticket content : \n");scanf("%24s",t->content);fflush(stdout);break;case'5':printf("Please enter credentials : \n");printf("Username : ");scanf("%s", u->username);printf("Password : ");scanf("%s", u->password);if (login(u) ==1){admin(); }break;default:printf("Function not yet implemented !\n"); } }
The user have some possible actions :
Read ticket
This action will call the display function pointed by the pointer stored inside the ticket.
Create ticket
This action will set the content and username values of the ticket
login
This action permit to the user to provide username and password to login.
Note: both username and password are get from user input without any length control.
Here is the overflow
Exploitation
As explain before, the two allocated chunk are side by side in memory and have the exact same size (64 bytes)
The objective is to overwrite the display pointer to make it point to the admin function.