Protostar/Heap 2

If you get stuck, you can watch the solution and explanation here:

Solving heap2 from exploit-exercises.com to learn about heap use-after-free (UAF) exploits

This level examines what can happen when heap pointers are stale.

This level is completed when you see the "you have logged in already!" message

This level is at /opt/protostar/bin/heap2

heap2.c

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

struct auth {
  char name[32];
  int auth;
};

struct auth *auth;
char *service;

int main(int argc, char **argv)
{
  char line[128];

  while(1) {
      printf("[ auth = %p, service = %p ]\n", auth, service);

      if(fgets(line, sizeof(line), stdin) == NULL) break;
      
      if(strncmp(line, "auth ", 5) == 0) {
          auth = malloc(sizeof(auth));
          memset(auth, 0, sizeof(auth));
          if(strlen(line + 5) < 31) {
              strcpy(auth->name, line + 5);
          }
      }
      if(strncmp(line, "reset", 5) == 0) {
          free(auth);
      }
      if(strncmp(line, "service", 6) == 0) {
          service = strdup(line + 7);
      }
      if(strncmp(line, "login", 5) == 0) {
          if(auth->auth) {
              printf("you have logged in already!\n");
          } else {
              printf("please enter your password\n");
          }
      }
  }
}

See also

Introducing the heap by looking at what malloc() does.

We are solving heap1 from exploit-exercises.com by exploiting a heap overflow.

This is a mirror. Copyright and original can be found here: exploit-exercises.com/protostar/heap2/