About
This level examines what can happen when heap pointers are stale.
This level is completed when you see the "you have logged in already!" message
This level is at /opt/protostar/bin/heap2
Source code
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> struct auth { char name[32]; int auth; }; struct auth *auth; char *service; int main(int argc, char **argv) { char line[128]; while(1) { printf("[ auth = %p, service = %p ]\n", auth, service); if(fgets(line, sizeof(line), stdin) == NULL) break; if(strncmp(line, "auth ", 5) == 0) { auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); } } if(strncmp(line, "reset", 5) == 0) { free(auth); } if(strncmp(line, "service", 6) == 0) { service = strdup(line + 7); } if(strncmp(line, "login", 5) == 0) { if(auth->auth) { printf("you have logged in already!\n"); } else { printf("please enter your password\n"); } } } }
该题有auth和service两个变量,通过malloc动态分配空间,先通过gdb对fgets下断
先看看两个变量动态分配的地址是多少:
可以看到按地址顺序排列的是:
auth->name → service → auth_auth
因此要想覆盖auth->auth,只需要将service给个大于16字节的内容即可。