Protostar heap2

About

This level examines what can happen when heap pointers are stale.

This level is completed when you see the "you have logged in already!" message

This level is at /opt/protostar/bin/heap2

Source code


#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
struct auth {
        char name[32];
        int auth;
};
struct auth *auth;
char *service;
int main(int argc, char **argv)
{
        char line[128];
        while(1) {
                printf("[ auth = %p, service = %p ]\n", auth, service);
                if(fgets(line, sizeof(line), stdin) == NULL) break;
                                                                                                
                if(strncmp(line, "auth ", 5) == 0) {
                        auth = malloc(sizeof(auth));
                        memset(auth, 0, sizeof(auth));
                        if(strlen(line + 5) < 31) {
                                strcpy(auth->name, line + 5);
                        }
                }
                if(strncmp(line, "reset", 5) == 0) {
                        free(auth);
                }
                if(strncmp(line, "service", 6) == 0) {
                        service = strdup(line + 7);
                }
                if(strncmp(line, "login", 5) == 0) {
                        if(auth->auth) {
                                printf("you have logged in already!\n");
                        } else {
                                printf("please enter your password\n");
                        }
                }
        }
}


该题有auth和service两个变量,通过malloc动态分配空间,先通过gdb对fgets下断

001748303.png


先看看两个变量动态分配的地址是多少:

002248326.png


可以看到按地址顺序排列的是:

auth->name → service → auth_auth

因此要想覆盖auth->auth,只需要将service给个大于16字节的内容即可。

002539288.png