Final (heap3) challenge from ProtostarCTF - solved. Below details about it...
Like before we will try to exploit heap related vulnerability. (Before going deeper you should already be familiar with this and this paper.) Here we go...
To continue, we will run the program in gdb. Next let's set 2 settings:
- set disassembly-flavor intel
- set pagination off
Now we can proceed with the analysis:
I decided to set few breakpoints (on CALL's). Now we are able to check each step during debugging session:
Start (and continue):
(After the start and continue) let's analyze our heap-range now:
Continuing... after few 'c'-commands we will have (m)allocated all 3 arguments:
(Still in 2nd arg; continue):
Restarting and preparing a correct lenght(s):
And one more shot directly from the shell: