Question: Given this C program: //compilation: arm-linux-gnueabihf-gcc -o heap_hell heap_hell.c -Wl,-z,relr> 3 #include 4 #include 5 #include 6 #include 7 8 char *welcome_str = Hello there,
Given this C program:
//compilation: arm-linux-gnueabihf-gcc -o heap_hell heap_hell.c -Wl,-z,relr> 3 #include
for(i = 0; i<32; ++i) { 22 if(s[2*i]=='O') { 23 val<<=1; 24 if(s[2*i+1]=='0'){ 25 ++val; 26 } else if(s[2*i+1]!='o'){ 27 printf("I tried! "); 28 return val; 29 } 30 } 31 } 32 return val; 33 } 34 35 size_t get_num() { 36 char buf[256]; 37 if(scanf("%255s", &buf[0])!=1){ 38 exit(-1); 39 } else { 40 return parse_num(buf);
} 42 } 43 44 void recvline(char *out) { 45 char c='\0'; 46 while(1) { 47 if(read(STDIN_FILENO, &c, 1)==-1) { 48 exit(-1); 49 } else if(c==' ') { 50 break; 51 } else { 52 *out=c; 53 ++out; 54 } 55 } 56 } 57 58 void welcome() {
setvbuf(stdin, 0, _IONBF, 0); 60 setvbuf(stdout, 0, _IONBF, 0); 61 puts(welcome_str); 62 } 63 64 void alloc() { 65 printf("Something need doing? "); 66 char* out = (char*)malloc(get_num()); 67 printf("Give some letters, now! "); 68 recvline(out); 69 } 70 71 72 void print() { 73 printf("Why not...: %s ", base+get_num()); 74 } 75 76 void release() { 77 printf("Me busy. Leave me alone! ");
void *tar = base + get_num(); 79 free(tar); 80 } 81 82 void patch() { 83 printf("Mhh? "); 84 size_t offset = get_num(); 85 printf("No time for play! "); 86 recvline(base + offset); 87 } 88 89 void menu() { 90 puts(menu_str); 91 } 92 93 int main() { 94 char choice[24]; 95 base = malloc(0); 96 welcome();
while(1) { 99 menu(); 100 read(STDIN_FILENO, choice, 23); 101 if(strncmp(choice, "give it to me!", 14)==0) { 102 alloc(); 103 } else if(strncmp(choice, "show it to me!", 14)==0) { 104 print(); 105 } else if (strncmp(choice, "dump it for me!", 15)==0) { 106 release(); 107 } else if(strncmp(choice, "patch it for me!", 16)==0) { 108 patch(); 109 } else { 110 printf("What do you want? "); 111 } 112 } 113 } 114
Identify and exploit the vulnerability present in the binary heap_hell. Write the exploit so that it spawns a shell, that allows you to cat the flag. Provide the flag, your exploit code and an explanation of your code. Ensure that your exploit does not rely on absolute addresses, so that it works with activated ASLR. The heap_hell sample exposes really dangerous functionality more as a feature than as a hidden bug, but you will still need to craft some inputs in order to be able to exploit the service. Notes: We highly recommend you to use pwntools. More information can be found here. To use the included debugger, we recommend tmux. To explore how GLIBCs ptmalloc implementation works you may want to start by triggering different sizes, numbers and sequences of memory allocations and frees on chunks in varying orders. Look at how the heap behaves and which values show up where allocated chunks were located previously. To make playing around easier, you can also compile your own samples and run them on the provided device. Make sure, that your exploit does not use absolute addresses and works also with enabled ASLR! The Offset of any symbol to the associated text section (NOT any text section) does not change between program invocations. To obtain an actual offset of a pointer you saw in a debugger, you may just want to take one example from within the debugger and subtract the correct base address. ASLR can sometimes be defeated by a brute-force approach (especially on 32-bit systems). This is not the solution here and not acceptable.
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts
Study Help