# Heap exploitation *by Javantea* *April 25, 2019* <pre> 10:57 <@javante> starting to think deep thoughts about heap exploitation 10:59 <@javante> the minimal setup required to exploit is not very much. I felt like it was essentially a heap overflow and a loop that lets you free, malloc, and so on, but that's more than you need 11:01 <@javante> assuming you have a large overflow, two mallocs, two frees, anyone think they can get eip (we'll work on exploitation later, eip is all we want for the first step) 11:02 <@javante> writing this challenge so I can test it... 11:05 <@javante> 23 lines of code </pre> ```c #include <string.h> #include <stdio.h> #include <errno.h> #include <stdlib.h> int main(int argc, char **argv) { if(argc < 2) { printf("Usage: heap1 argument\n"); return 1; } char *dest1 = malloc(1024); if(dest1 == 0) perror("malloc"); char *dest2 = malloc(1024); if(dest2 == 0) perror("malloc"); strcpy(dest1, argv[1]); free(dest2); free(dest1); printf("And that is all.\n"); return 0; } ``` GPLv2 <pre> 14:18 <@javante> gcc -o heap1 heap1.c -Wall -ggdb -O2 14:18 <@javante> ./heap1 14:18 <@javante> Usage: heap1 argument 14:18 <@javante> ./heap1 test 14:18 <@javante> And that is all. 14:18 <@javante> ./heap1 $(python -c 'print("A"*1040)') 14:18 <@javante> *** buffer overflow detected ***: ./heap1 terminated 14:18 <@javante> Aborted 14:19 <@javante> pretty simple test, of course default protections and all that 14:20 <@javante> 70d: e8 8e ff ff ff callq 6a0 &lt;__strcpy_chk@plt&gt; 14:20 <@javante> I think that is fortify but I'm not 100% 14:55 <@javante> yup, fortity 14:55 <@javante> s/fortity/fortify/ 14:55 <@javante> gcc -o heap1 heap1.c -Wall -ggdb -O2 -D_FORTIFY_SOURCE=0 14:55 <@javante> ./heap1 $(python -c 'print("A"*1040)') double free or corruption (out) 14:55 <@javante> Aborted 14:57 <@javante> debugging the corefile with gdb.. 14:57 <@javante> gdb ./heap1 core 14:57 <@javante> Core was generated by `./heap1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. 14:57 <@javante> Program terminated with signal SIGABRT, Aborted. 14:57 <@javante> #0 0x00007f33db46fceb in raise () from /lib64/libc.so.6 14:57 <@javante> (gdb) frame 5 14:57 <@javante> #5 0x000055ae1a5636e5 in main (argc=&lt;optimized out&gt;, argv=0x7ffd9ecc1de8) 14:57 <@javante> at heap1.c:18 14:57 <@javante> 18 free(dest2); 14:58 <@javante> (gdb) x/10wx dest2-8 14:58 <@javante> 0x55ae1c6b4668: 0x41414141 0x41414141 0x00000000 0x00000000 14:58 <@javante> 0x55ae1c6b4678: 0x00000000 0x00000000 0x00000000 0x00000000 14:58 <@javante> 0x55ae1c6b4688: 0x00000000 0x00000000 14:59 <@javante> so free can catch invalid values in our structure.. 15:00 <@javante> let's check the value with valid input 15:02 <+Hamled> might I sugest https://gist.github.com/ 15:02 <@javante> okay 15:02 <+Hamled> Thanks, my IRC client is not setup for fixed width :D 15:03 <@javante> I'll use neg9 wiki instead 15:03 <+Hamled> cool </pre> <pre> (gdb) run AAAAA Starting program: /home/j1/heap1 AAAAA Breakpoint 1, 0x00007ffff7deeaf0 in free () from /lib64/ld-linux-x86-64.so.2 (gdb) c Continuing. Breakpoint 1, 0x00007ffff7a96ca0 in free () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff7a96ca0 in free () from /lib64/libc.so.6 #1 0x00005555555546e5 in main (argc=<optimized out>, argv=0x7fffffffd998) at heap1.c:18 (gdb) frame 1 #1 0x00005555555546e5 in main (argc=<optimized out>, argv=0x7fffffffd998) at heap1.c:18 18 free(dest2); (gdb) x/10wx dest2-8 0x555555756668: 0x00000411 0x00000000 0x00000000 0x00000000 0x555555756678: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555756688: 0x00000000 0x00000000 </pre>