Protostar/Heap 3

If you get stuck, you can watch the solution and explanation here:

An introduction on how to abuse Heap metadata to redirect program execution.

An introduction on how to abuse Heap metadata to redirect program execution.

This level introduces the Doug Lea Malloc (dlmalloc) and how heap meta data can be modified to change program execution.

This level is at /opt/protostar/bin/heap3

heap3.c

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

void winner()
{
  printf("that wasn't too bad now, was it? @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  char *a, *b, *c;

  a = malloc(32);
  b = malloc(32);
  c = malloc(32);

  strcpy(a, argv[1]);
  strcpy(b, argv[2]);
  strcpy(c, argv[3]);

  free(c);
  free(b);
  free(a);

  printf("dynamite failed?\n");
}

See also

Introducing the heap by looking at what malloc() does.

We are solving heap1 from exploit-exercises.com by exploiting a heap overflow.

Solving heap2 from exploit-exercises.com to learn about heap use-after-free (UAF) exploits

This is a mirror. Copyright and original can be found here: exploit-exercises.com/protostar/heap3/