Heap Exploits
Last updated
Last updated
This occurs when unsafe functions are used which can overflow buffers (such as strcpy
).
The idea is to overflow a pointer. When that pointer is written to, then since you can overflow it with an arbitrary value, then you will be able to write to an arbitrary address.
This allows you to overwrite a function pointer in the global offset table (GOT), or overwrite the function return pointer. The GOT method is more reliable.
Heap state before the first strcpy
:
Use after free occurs when a memory address is freed, but the variable that points to the free memory address is still used after the free.
By allocating space for new variable(s) into the space that was freed, you can control the value of the old variable through the value new variable(s). This is because if the old dangling variable is used again, then its value will be taken from the space where the new variable(s) was/were allocated.
Solution (all you have to do is interact with the program):
You allocate space for the auth variable on the heap. The auth
variable will point to the location of the allocated space on the heap. Then you free that space. However, the variable is not nulled and it will still point to a freed space on the heap.
The service
command calls malloc()
behind the scenes (allocates space on the heap) and writes to the allocated space.
This space will be allocated to the same spot that was freed earlier. And data will be written there. The auth variable still points to that spot, so you're effectively overwriting the contents of auth.
By specifying a long string ("aaaaaaaaaa...") you're overwriting the 32 byte buffer of name
and overwriting auth
.
Thus, the application thinks you're logged in.