Are overflows just a stack concern?
Then, the task provides us with the all materials we need.
As usual, the full source code is provided below:
All the task gives us a hint that we are dealing with Heap overflow. It even provides us with the functionality for better understanding our actions.
So, to understand what this task (and the vulnerability) is about, let's look at this part of the code:
input_data = malloc(INPUT_DATA_SIZE);
strncpy(input_data, "pico", INPUT_DATA_SIZE);
safe_var = malloc(SAFE_VAR_SIZE);
strncpy(safe_var, "bico", SAFE_VAR_SIZE);
Here, we can see that two values are allocated using malloc right after another. This means that they will bi situated in the heap one under another. As heap grows down, that means that the input_data is stored upper than the safe_var and that means that the overflow of input_data will influence the safe_var.
If we examine code a bit more, we will notice that the goal of the task is to override the safe_var value. And this can be easily made as we control input_data and there are no protection mechanisms that will prevent its overflow.
Thus, the task can be solved if we transmit a rather long string to the input_var which will cause the heap overflow and will change the safe_var value.
But, I think the more interesting here is to understand how many symbols exactly we should transmit in order to overflow the heap. I've spent some time searching the answer on the internet. The most interesting thing I found here.
So, the malloc function actually allocates more space than is asked to it. But how many - depends on the "malloc decision". Actually, it on the architecture used - malloc allocates the nubmer of bytes multiple by 16, for example. After a set of experiments I found that in this case malloc allocates 32 bytes (instead of asked 5) for the variables on the heap. So, we can transmit any 33 bytes to override the safe_var value.
This is my exploit:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
And this is how I got the flag in Figure 1: